Dangerous viruses and hackers can often sneak into a system and spy on it unnoticed. Such an attack can only be discovered with special tools. We’ll introduce one of the best and show you how to protect yourself with it.
Is your PC compromised?
© Rawf8 – AdobeStock
Your antivirus software should actually detect, block and delete every PC virus on your computer. But attackers always succeed in outsmarting the security software. The hostile code then often remains unnoticed in the system for months or even years and repeatedly offers the attacker secret access to your data and your system. In such cases it is not easy to find the pest after all. But this is possible, for example, via
an analysis of the active processes
. Or you are looking for specific symptoms that we
explain in the online post
There is a professional method that can be used to track down even the most sophisticated PC malware. With the Microsoft tool
log every conceivable process in the system and become aware of code that is performing undesirable actions. Sysmon was developed in 2014 by software architect Mark Russinovich to detect attacks on systems. It is part of the popular Windows Sysinternals suite.
Sysmon, however, is not a defense tool that can block an attack. Rather, it should help to record suspicious activities on the computer in a log and thus to draw attention to malicious code.
One difficulty with such logs is the huge amount of activity that takes place in a normal Windows. The system continuously starts processes, accesses data or configuration databases, terminates processes or queries details on the Internet. It is usually time-consuming and requires some experience to later fish out the suspicious actions from this mass of log data. In this article we want to provide assistance with two specific examples.
How to install Sysmon on your system
Start the Windows command prompt with administrator rights. To do this, you can enter the command after clicking on the Windows logo and you will then receive this menu.
The Sysmon tool works as a system service and does not offer any graphical operator guidance. It is available in a version for Windows 32 bit (Sysmon.exe) and 64 bit (Sysmon64.exe). To install, start a command prompt with admin rights.
To do this, click on the Windows icon and enter command prompt. Select “Start as administrator” from the start menu. In the command prompt change via cd
When you run the tool for the first time, you still have to click to confirm the license agreement. However, this can be suppressed with the parameter “accepteula”:
sysmon64 -accepteula –i
Sysmon is not only installed now, it is already running with its default settings. However, these do not yet log many actions. We describe how to change this below after we have dealt with the Sysmon protocol.
Here’s how to look at the Sysmon log
This is what the Sysmon installation command looks like on a 32-bit system. If you are using a 64-bit system, use the sysmon64 command. The parameter i stands for “install”, and “accepteula” nods off the license agreement.
Sysmon saves its log in the Windows Event Viewer. The Event Viewer is also used as a logging program by Windows itself and by some other tools. It not only serves as storage space for the log files, but also helps with the evaluation with filters and search functions. The following applies to most large log files: They are a treasure trove of information, but mostly you cannot see the forest for the trees. The sheer volume of log entries makes evaluation difficult. If you have had little contact with the event viewer, you can
in our detailed guide
to get this tool.
Start the Windows event display via “Windows symbol -› Windows administration programs – ›Event display”. In the left area of the program, switch to the folder “Logon and service logs -› Microsoft – ›Windows -› Sysmon – ›Operational”. This folder is only available if you have already installed Sysmon.
In the middle area you can see the individual log entries sorted by date and time. If you click on an entry in the list, its content is displayed in the area below. The information under “General” is longer than displayed for many entries. Click in the field and scroll through all information with the mouse. If you have started Sysmon without any special configuration, mostly event IDs with the numbers 1 and 5 appear in the log. 1 stands for the start of a new process and 5 for the termination of one.
The event viewer with its areas: on the left you see a folder structure in which the various logs can be found, in the middle a selected log is displayed and on the right there are functions of the tool.
On the right side of the Event Viewer you will see the “Action” area. There you can temporarily stop the log, back it up, update it and more. Also keep an eye on the size of the log later. You can do this if you do not click the “Operational” folder on the left, but “Sysmon”. If you later configure Sysmon so that it records as many events as possible, the log can quickly become very extensive.
4 signs your PC has been hacked
This is what the event IDs in the Sysmon protocol mean
Visit the Sysmon website to find out what each event ID in the Sysmon log means. You can also find a brief description of the IDs in the table.
In order to find interesting entries in the Sysmon log, you need to know what they mean. Only then can you specifically look for the entries, for example, that show you access to the Internet. On the website of
you will find all relevant event IDs explained. A short version of the information can be found in the table.
How to configure the system monitor Sysmon
If you are using sysmon via the command
start, the tool only logs a few categories of events.
However, you can have further events recorded via configuration files. These files with the extension xml are pure text files, for example Config.xml.
To install Sysmon with the configuration of this file, use this command in the command prompt:
If Sysmon is already installed, change its configuration using parameter c.
If you want to see the current configuration of Sysmon, just type
You can create the standard configuration at any time with the parameter c followed by -. This then results in two minus signs without spaces in the command line:
The big challenge when using Sysmon lies in the configuration of the tool. You could just let Sysmon record everything, but you would get such a large log file that it would be even more difficult to find what you wanted in it. If you still want to try it out, you can
the configuration file
testing. It stores everything except for event ID 22, which was only introduced after the configuration file was created. Complete logging is not recommended, however. It is wiser if you exclude all those events that are most likely caused by harmless processes. You will find a good, but English-language introduction to the topic of Sysmon configuration
You will now find two examples of configurations below.
Example 1: How to Log DNS Queries
Malicious code on the PC will sooner or later establish a connection to the Internet. He either wants to upload stolen information to the Internet or get new code from the Internet. Backdoors also broadcast into the Internet, if only the current IP address of the infected network is concerned, so that the attacker can then access the backdoor-infected PC from outside.
With Sysmon you can log most of the accesses to the Internet, because Sysmon monitors queries to DNS servers. The tool registers when a process changes the IP address to a web address, for example
, lets give.
In the Windows Event Viewer you can also see how big the Sysmon log has already become. To do this, click on the left on the folder “Registration and service logs -› Microsoft – ›Windows -› Sysmon ”.
So that you can record specific DNS queries with the Sysmon tool, you need a configuration file that you specify when you start Sysmon or that you activate afterwards.
On this website
you will find the lean Sysmon DNS protocol provided by security specialist Didier Stevens. We have given the log file the name dns-lookup.xml. Start Sysmon with the following command in a command prompt with administrator rights:
Sysmon -i dns-lookup.xml
The configuration file dnslookup.xml must be in the same folder as Sysmon or be given a path. Sysmon now also saves DNS queries in the Windows Event Viewer. Important: On a PC in productive use, the DNS query will provide a large number of entries. Many of the online tools, such as the Dropbox client, Teams or Outlook regularly query the DNS server and fill the log.
The Firefox and Chrome browsers use their own DNS cache and DNS lookup methods that Sysmon does not record. Sysmon only partially records the surfing behavior of browser users, but that’s not what the tool is designed for.
Top 10 Most Dangerous Internet Attacks
Example 2: Complete monitoring of important events
You can also configure Sysmon so that the tool logs as many events as possible that indicate malicious code or hacking activity. Of course, it also records all harmless actions. The log file is therefore very large. However, it is a good starting point for searching for unknown malware in your own system.
The security expert Swift on Security has provided a corresponding configuration file on Github. her name is
, its filename sysmonconfig-export.xml. The advantage of this file is that almost all instructions are provided with explanatory comments. It is therefore also a kind of guide that will familiarize you with the capabilities of Sysmon. Start Sysmon with the following command in a command prompt with administrator rights if Sysmon, the configuration file and the command prompt are in the same folder.
sysmon64 -i sysmonconfig-export.xml
If Sysmon is already active, use this command to update the configuration:
sysmon64 -c sysmonconfig-export.xml
How to stop Sysmon and eliminate problems
If you want to stop the Sysmon log, you can do so in the Event Viewer. If you want to stop Sysmon completely, you can do this with the following command:
After that, no more log entries are created. Sysmon also deletes all logs that have already been created. If you want to save these for later analysis, you must mark the “Operational” folder in the event viewer before stopping Sysmon. Now you can execute the command “Save all entries” under “Actions” on the right. There you can also temporarily stop the protocol via “Deactivate protocol”.
On our test computer, we observed jerks in a video stream after activating Sysmon. The problem could be reproduced. But it only occurred when streaming from TV media libraries, for example from ARD and ZDF. We couldn’t recreate the problem on Netflix or YouTube. If you have problems with video streaming while using Sysmon, it is best to deactivate Sysmon first. That goes with as just described
A process is restarted.
A process changes the creation date of a file.
A network connection is established.
The Sysmon service is changed.
A process is ended.
A driver is being loaded.
A program starts.
One process intervenes in another process.
Read access in raw mode.
One process calls another process.
A file is created or overwritten.
A registry entry is created or deleted.
A registry entry is changed.
A registry entry is renamed.
A file stream is generated (www.NewsABC.net/file-streams).
A “named pipe” is created (www.NewsABC.net/named-pipes).
A pipe connection is established (www.NewsABC.net/named-pipes).
WMI events take place (www.NewsABC.net/wmi).
A DNS query takes place.
A file is deleted.
Sysmon has a bug.