Skip to main content

Overview

The Sysmon command retrieves Sysmon (System Monitor) configuration from the registry. Sysmon is a powerful Windows system service that logs detailed system activity including process creation, network connections, and file modifications. Understanding Sysmon configuration reveals what activities are being monitored and logged.

Syntax

Seatbelt.exe Sysmon

Remote Execution

Seatbelt.exe Sysmon -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns Sysmon configuration:
  • Sysmon installation status
  • Sysmon version
  • Configuration file hash
  • Configured event IDs
  • Filtering rules
  • Network monitoring status
  • Process access monitoring

Use Cases

  • Red Team
  • Blue Team
  • Determine if Sysmon is deployed
  • Identify monitored activities
  • Understand detection capabilities
  • Plan evasion strategies
  • Assess logging granularity

Example Output

====== Sysmon ======

[*] Sysmon Installed: True

Version                : 14.13
HashingAlgorithm       : SHA256
Configuration Hash     : ABC123DEF456...
Network Monitoring     : Enabled

Configured Event IDs:
  Event ID 1           : Process Creation - Enabled
  Event ID 3           : Network Connection - Enabled
  Event ID 7           : Image Load - Enabled with filters
  Event ID 8           : CreateRemoteThread - Enabled
  Event ID 10          : Process Access - Enabled with filters
  Event ID 11          : File Create - Enabled with filters

Rules Summary:
  Include Rules        : 15
  Exclude Rules        : 42

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Sysmon configuration enumeration may alert on monitored systems.
  • Registry Access: Queries HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv
  • WMI Activity: Remote execution generates WMI events
  • Sysmon Event 12/13: Registry access may be logged by Sysmon itself