Native Sysmon functionality coming to Windows 11

Next year, you will be able to gain instant threat visibility and streamline security operations with System Monitor (Sysmon) functionality natively available in Windows!

Part of Sysinternals, Sysmon has long been the go-to tool for IT admins, security professionals, and threat hunters seeking deep visibility into Windows systems. It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations. Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks.

But deploying and maintaining Sysmon across a digital estate has been a manual, time-consuming task. You’ve downloaded binaries and applied updates consistently across thousands of endpoints. Operational overheads introduce risk when updates lag. And lack of official customer support for Sysmon in production environments pose added risk and additional maintenance overhead for your organization.

Not anymore!

Sysmon functionality available in Windows: Why it matters​

Next year, Windows updates for Windows 11 and Windows Server 2025 will bring Sysmon functionality natively to Windows. Sysmon functionality allows you to use custom configuration files to filter captured events. These events are written to the Windows event log. enabling a wide range of use cases including by security applications.

What operational pain points does it solve for you?

• Instant threat visibility
• Same rich functionality, including support for custom configuration files
• No separate download or manual deployment
• Automated compliance as updates flow through Windows Update
• Reduced operational risk
• Customer service support

Here’s how Sysmon functionality available in Windows aligns with Microsoft Secure Future Initiative (SFI) pillars:

• Helps reduce complexity and eliminate gaps caused by manual deployments (Secure by design).
• Helps make advanced security diagnostic data available out-of-the-box (Secure operations).

Key capabilities and how to use them​

Sysmon functionality in Windows with its configurable and filterable events is easy to activate and provides rich, customizable detection signals through your familiar tools. Sysmon remains up to date with all the necessary fixes and new features thanks to monthly Windows updates.

Activate Sysmon functionality in Windows​

Next year, you can enable the Sysmon functionality in Windows by using the Turn Windows feature on/off capability.

Then install it with a single command via the Command Prompt or cmd.exe:

sysmon -i

This command installs the driver and starts the Sysmon service immediately with the default configuration. Comprehensive documentation will be available at general availability.

Detect threat through rich signals​

Sysmon functionality in Windows delivers rich, built-in detection signals that power advanced threat detection and forensic analysis. Instead of requiring additional software deployment, get these signals from any of the following:

• Windows event logs in Applications and Services Logs / Microsoft/Windows/Sysmon/Operational
• Applications such as SIEMs

Whatever channel you use, here are examples of Sysmon detection events you can audit:

• Event ID 1 – Process creation
  Detects suspicious command-line activity (e.g., powershell -nop -w hidden) often used in fileless attacks.
• Event ID 3 – Network connection
  Flags unexpected outbound connections (e.g., 185.199.x.x:443) that could indicate Command and Control (C2) traffic.
• Event ID 8 – Process access
  Exposes credential dumping attempts (e.g., Local Security Authority Subsystem Service (LSASS) memory access by comsvcs.dll).
• Event ID 11 – File creation
  Detects creation of suspicious scripts in temp directories (e.g., C:\Users\Public\temp\update.ps1).
• Event ID 25 – Process tampering
  Identifies process hollowing and herpaderping techniques used to hide malware.
• Event ID 20 & 21 – WMI events
  Captures Windows Management Instrumentation (WMI) persistence mechanisms (e.g., WmiEventConsumer activity).

For a full list of events and how to configure them, consult Sysmon – Sysinternals.

Get started with Sysmon functionality in Windows​

Sysmon functionality will be broadly available in upcoming Windows updates next year. To get started today:

• Explore GitHub community configuration templates: Sysmon configuration file template with default high-quality event tracing and Sysmon configuration repository.
• Visit the Windows Server booth at Microsoft Ignite and try Sysmon functionality in Windows.
• Share feedback at [email protected]. Your input shapes the next chapter of threat detection on Windows.

Bringing Sysmon functionality in Windows is just the beginning. We plan to continue investing in additional capabilities such as enterprise-scale management and AI-powered inferencing. Imagine detecting credential theft attempts or lateral movement patterns so quickly, powered by granular diagnostic data and AI inference running locally on the device. This is a game-changer for enterprise security—combining rich OS-level signals with edge AI to help reduce dwell time and improve resilience.