Sysmon becomes part of Windows
Mark Russinovich has announced that the diagnostic tool Sysmon will become part of Windows next year.
(Image: Wachiwit/Shutterstock.com)
The Sysmon (System Monitor) tool from Sysinternals, valued by IT admins and security experts, is coming directly to Windows. This was announced by the tool's developer, Mark Russinovich, in one of his extremely rare blog posts on Microsoft Techcommunity.
Distributing and maintaining Sysmon across a network is a manual and time-consuming task, Russinovich explains there. This includes downloading the binaries and distributing them across thousands of endpoints. This work overhead also carries risks if it leads to delayed updates. The lack of official support for Sysmon in production environments means additional risk and maintenance effort within one's own organization.
Sysmon is currently part of the Sysinternals tool collection, which Microsoft acquired a long time ago, along with its creator, Russinovich. It is a monitoring tool that provides visibility into Windows events. IT admins and security experts can use it to detect, for example, credential theft or lateral movement by attackers on the network; it is therefore a powerful forensic tool.
Part of Microsoft Security Initiative
Without specifying a concrete date, Russinovich announces that for the coming year, Windows 11 and Windows Server 2025 will natively integrate Sysmon functionalities into the operating system. They will continue to allow the use of customized configuration files for filtering the captured events. As before, these will land in the Windows Event Log, where they can be used extensively, for example, by security applications.
Videos by heise
This is intended to improve Windows security as part of Microsoft's Secure Future Initiative (SFI) by reducing complexity and eliminating delays caused by manual management. It also helps to provide advanced security diagnostic data out-of-the-box. Sysmon will be configurable via Windows Settings – “System” – “Optional Features.” According to Russinovich, the command sysmon -i is still necessary to install the driver and start the Sysmon service. Comprehensive documentation, for example on configuration, is expected to be released upon the feature's general availability.
(dmk)
