Windows - Software - Install SysInternals Sysmon

What the Sysmon Installer does

This Automox Worklet™ installs Sysmon (System Monitor) from Microsoft Sysinternals on Windows endpoints. Sysmon logs detailed information about process creation, network connections, file creation time changes, and other security-relevant events to the Windows Event Log.

The Worklet downloads the latest Sysmon version directly from Microsoft Sysinternals and compares it against any existing installation. If an older version exists, the Worklet deregisters it before installing the new version. The Worklet supports custom XML configurations for fine-tuned event filtering.

Installation uses a consistent location (Program Files\SysInternals\Sysmon) and handles architecture differences automatically, selecting Sysmon64.exe for 64-bit systems. The Worklet accepts the Sysinternals EULA automatically during installation.

Why deploy Sysmon through Automox

Sysmon provides visibility into endpoint activity that standard Windows logging does not capture. Security teams use Sysmon logs for threat hunting, incident investigation, and detecting advanced attacks that evade traditional security tools.

Automating Sysmon deployment through this Worklet standardizes security monitoring across your fleet. The Worklet also keeps Sysmon current by checking for newer versions available from Microsoft and automatically upgrading when updates exist.

Custom XML configuration support allows you to implement organization-specific monitoring rules. You can exclude noisy events, focus on specific process types, or implement configurations from security frameworks like MITRE ATT&CK-aligned detection rules.

How Sysmon installation works

1. Evaluation phase: The Worklet checks for an existing Sysmon installation at Program Files\SysInternals\Sysmon\Sysmon.exe. If found, it compares the local binary's creation date against the published release date from Microsoft's Sysinternals page. If the local version is older or Sysmon is not running, remediation proceeds.

2. Remediation phase: The Worklet terminates any running Sysmon processes, deregisters previous installations using -u force, downloads Sysmon.zip from Microsoft, extracts to the install directory, optionally writes a custom XML configuration, and registers Sysmon with -i -accepteula (and -c config.xml if configured).

Sysmon installation requirements

• Windows workstation or server endpoint

• Network connectivity to download.sysinternals.com and learn.microsoft.com

• Administrative privileges for kernel-level driver installation

• Acceptance of Sysinternals EULA (automated during install)

• Optional: Custom XML configuration in the $config variable

Expected state after Sysmon installation

After successful remediation, Sysmon runs as a system service and kernel driver that persists across reboots. The binary and configuration reside in Program Files\SysInternals\Sysmon. Verify installation by checking Services.msc for the Sysmon64 service or viewing events in Applications and Services Logs\Microsoft\Windows\Sysmon\Operational in Event Viewer.

Subsequent Worklet runs check the Microsoft Sysinternals page for newer versions. If an update is available, the Worklet automatically upgrades the installation. If Sysmon is current but not running, the Worklet re-registers and starts the service.