Manual installation is helpful to allow a rapid evaluation of Sysmon.

To deploy Sysmon at scale you will want to deploy via GPO or using a purpose function deployment infrastructure.

The following steps apply for a default installation (by default Event ID 3: Network connection and Event ID 7: Image loaded are disabled and there will be no event filtering).

Download Sysmon (version 9 at time of writing).

Extract to C:\Program Files

Install and enable sysmon run the below command:

sysmon.exe -accepteula –i

“-accepteula” accepts the End User Licence Agreement.

“-i” installs service and driver.

Reboot of the host machine is not required.

The output of the above command:

To view the default configuration:

sysmon -c

The output of the above command: