Windows Internals

Hello All. As a follow-up to my recent Mythos post, I have been thinking about cyber-hygiene improvements organizations can make in their OT environments. In environments where patching may no longer be an option, tools like Sysmon shift the strategy from prevention to visibility and early detection. You’re essentially compensating for unpatchable risk by increasing your ability to observe attacker behavior in real time. In many cases, these Windows machines cannot run modern EDR tools due to their vintage and/or cannot support them in their current OT environment. On legacy Windows systems (including XP/7-era HMIs), Sysmon can be one of the few viable ways to regain some defensive ground.

Monitoring process creation is one of the highest-value use cases. Most successful attacks on legacy systems still require some form of execution—whether that’s cmd.exe, PowerShell (where present), dropped binaries, or living-off-the-land techniques. By baselining what “normal” looks like on an HMI and alerting on deviations (new parent-child relationships, unusual command-line arguments, unsigned binaries), you can catch activity that would otherwise go completely unnoticed.

DNS and outbound connectivity is even more critical in OT. Many of these systems are not supposed to communicate externally at all. So when you see DNS queries to Internet domains, failed or successful connections to external IPs, or even unusual internal name resolution patterns, that’s often a high-fidelity signal. In a world where AI-driven attacks may rapidly establish command-and-control, those early outbound indicators can be the only warning you get.

Feeding this telemetry into a SIEM is where the real value compounds. SIEMs will allow you to correlate across layers—endpoint behavior, network activity, and even OT protocol anomalies if you’re integrating tools like Nozomi or Claroty. This is where you move beyond simple alerting into detection engineering, building use cases such as:

  • Process execution + outbound connection within a short window
  • New binary execution on a system with no change tickets
  • DNS queries to rare or previously unseen domains
  • Lateral movement patterns combined with OT protocol access

That said, there are a few realities to be aware of.

First, Sysmon on legacy systems requires careful tuning. These environments are typically very static, which is actually an advantage—you can get to a high-confidence baseline quickly—but noisy configs will overwhelm both the system and your analysts. Minimal, targeted logging (process create, network connections, DNS if available, and maybe file creation in sensitive directories) tends to work best.

Second, performance and stability matter more than anything in OT. Even tools that access Windows natively such as Sysmon need to be validated in a lab or staging environment before deployment. The last thing you want is a monitoring control impacting an HMI tied to production or safety systems.

Third, this approach doesn’t reduce vulnerability exposure—it simply makes exploitation more visible. So it needs to sit alongside:

  • Strong network segmentation
  • Strict allow-listing where possible
  • Passive OT monitoring for protocol-level anomalies

The bigger picture is that this aligns perfectly with the shift we’re seeing in the wake of AI-driven vulnerability discovery. If we assume that new flaws will continue to be found in unpatchable systems, then behavioral monitoring becomes the control of last resort.

In that sense, deploying Sysmon isn’t just a technical improvement—it’s a strategic acknowledgment that: You may not be able to stop the exploit, but you can still catch the attacker.

Deploying Sysmon is straightforward. It is part of the Microsoft SysInternals toolkit and can be downloaded directly from Microsoft’s official site:

https://learn.microsoft.com/sysinternals/downloads/sysmon

Once downloaded, it can be installed with a configuration file that defines what events to capture. In OT environments, it’s important to keep this configuration lightweight and targeted—focusing on process creation, network connections, and DNS activity to avoid performance impacts on sensitive systems.

There are, however, important considerations. Legacy OT systems are often fragile, so any agent deployment must be tested carefully to ensure it does not impact stability. Additionally, Sysmon does not reduce the underlying risk—it simply makes attacker activity more visible. This means it should be combined with strong segmentation, strict access controls, and passive network monitoring.

Ultimately, this approach reflects a broader shift in cybersecurity. As AI-driven tools begin to uncover new vulnerabilities in long-abandoned platforms, organizations can no longer rely on patching as their primary defense. Instead, they must assume these systems are permanently exposed and focus on detecting what happens next.

In that reality, Sysmon is not just a tool—it’s a way to regain visibility in environments where control is otherwise limited.

Read more

Hello All. Yes, you heard me, Sysmon is coming natively to Windows in 2026. 

Mark Russinovich, the creator of Sysmon, recently posted this amazing news on the Windows IT Pro Blog:

“Next year, you will be able to gain instant threat visibility and streamline security operations with System Monitor (Sysmon) functionality natively available in Windows!

Part of SysInternals, Sysmon has long been the go-to tool for IT admins, security professionals, and threat hunters seeking deep visibility into Windows systems. It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations. Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks.

But deploying and maintaining Sysmon across a digital estate has been a manual, time-consuming task. You’ve downloaded binaries and applied updates consistently across thousands of endpoints. Operational overheads introduce risk when updates lag. And a lack of official customer support for Sysmon in production environments poses added risk and additional maintenance overhead for your organization.”

With this update, you will be able to easily activate Sysmon in Windows 11 and Windows Server 2025 with the simple command: sysmon -i at the cmd.exe prompt. This should be coming in 2026 as part of a Windows Update.

According to Microsoft’s roadmap, Sysmon will be available through the built‑in Optional features mechanism in Windows. Administrators will be able to install Sysmon using standard OS tools, without downloading a separate package, and updates will be delivered directly via Windows Update.

Here is the original post: https://techcommunity.microsoft.com/blog/Windows-ITPro-blog/native-sysmon-functionality-coming-to-windows/4468112

Read more

Hello All. I wanted to thank the organizer for having me at the 2025 Atlantic Security Conference in Halifax, NS this past week. I would also like to thank all the attendees who came to hear me speak.

For those who are looking for the slides, they can be downloaded from the link below:

https://www.petermorin.com/wp-content/uploads/2025/04/AtlSecCon-Top-AD-Attacks-2025.pdf

Please fee free to contact me if you have any questions. See you at the next con!

Read more