Can't run SYSMON on 2008 R2 SP1
2,835 views
Skip to first unread message
Donatas Kalvaitis
May 11, 2023, 2:00:11 AM5/11/23
to Wazuh mailing list
Hello, need help. I cant install sysmon. What options do I have?
Antonio David Gutiérrez
May 11, 2023, 3:15:03 AM5/11/23
to Wazuh mailing list
Hi Donatas,
By the error, it seems as if some dependencies could have been missing. Maybe you need to install some update or dependencies that adds the needed program or library to work with sysmon.
1. Could you describe the detailed steps you are following to install sysmon?
2. What version of sysmon are you trying to install?
3. Did you try to reinstall it?
I found some related topics:
https://superuser.com/questions/1482486/installation-error-of-sysmon-on-windows-7-vm-sysmondrv-driver-and-startservice
https://learn.microsoft.com/en-us/answers/questions/1225702/problem-upgrading-to-sysmon-14-15
By the error, it seems as if some dependencies could have been missing. Maybe you need to install some update or dependencies that adds the needed program or library to work with sysmon.
1. Could you describe the detailed steps you are following to install sysmon?
2. What version of sysmon are you trying to install?
3. Did you try to reinstall it?
I found some related topics:
https://superuser.com/questions/1482486/installation-error-of-sysmon-on-windows-7-vm-sysmondrv-driver-and-startservice
https://learn.microsoft.com/en-us/answers/questions/1225702/problem-upgrading-to-sysmon-14-15
Donatas Kalvaitis
May 11, 2023, 3:36:11 AM5/11/23
to Wazuh mailing list
We have "2008 R2 SP1", we use latest version of sysmon. Command - .\Sysmon64.exe -accepteula -i sysmonconfig.xml We are doing steps from your blog - https://wazuh.com/blog/detecting-blackcat-ransomware-with-wazuh/ and using config from there too.
Antonio David Gutiérrez
May 11, 2023, 5:02:02 AM5/11/23
to Wazuh mailing list
Hi Donatas,
Thank you for the information.
According to the shared blog: https://wazuh.com/blog/detecting-blackcat-ransomware-with-wazuh/, the instructions to install sysmon, indicate to download the installer from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon. The latest version of sysmon is 14.16, which is compatible with:
You need to use a Windows compatible version with the sysmon installer.
You could try to download a previous version of sysmon that is compatible with Windows Server 2008 RC2 SP1.
According to the response to this topic: https://learn.microsoft.com/en-us/answers/questions/575176/sysmon-on-windows-server-2008, the last sysmon version compatible with Windows Server 2008 RC2 is 10.42. You could give a try to download the sysmon compatible version with Windows server 2008 RC2 SP1. Unfortunately, I could not find this version on the Microsoft Sysinternals page (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
Googling a little bit, I found a page on web.archive.org which has the symon 10.42 version. As you can see at the bottom of the page, mentions the Windows Server 2008 RC2 is a compatible version.
http://web.archive.org/web/20200309125238/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Thank you for the information.
According to the shared blog: https://wazuh.com/blog/detecting-blackcat-ransomware-with-wazuh/, the instructions to install sysmon, indicate to download the installer from https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon. The latest version of sysmon is 14.16, which is compatible with:
Runs on:
- Client: Windows 8.1 and higher.
- Server: Windows Server 2012 and higher.
You need to use a Windows compatible version with the sysmon installer.
You could try to download a previous version of sysmon that is compatible with Windows Server 2008 RC2 SP1.
According to the response to this topic: https://learn.microsoft.com/en-us/answers/questions/575176/sysmon-on-windows-server-2008, the last sysmon version compatible with Windows Server 2008 RC2 is 10.42. You could give a try to download the sysmon compatible version with Windows server 2008 RC2 SP1. Unfortunately, I could not find this version on the Microsoft Sysinternals page (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
Googling a little bit, I found a page on web.archive.org which has the symon 10.42 version. As you can see at the bottom of the page, mentions the Windows Server 2008 RC2 is a compatible version.
http://web.archive.org/web/20200309125238/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Message has been deleted
Antonio David Gutiérrez
May 11, 2023, 6:24:58 AM5/11/23
to Wazuh mailing list
Hi Donatas,
This seems to be a problem with the configuration defined in the sysmonconfig.xml, whose schema version is 4.60 and the Sysmon schema version is 4.23, so for your Sysmon installed version (10.42 I guess), the Sysmon configuration provided by Wazuh through the blog you mentioned, it is not compatible.
I will ask my coworkers about this topic.
But it seems to be clear you need to install a Sysmon version compatible with the operating system and the Sysmon configuration has to be compatible with the Sysmon version installed.
I don't know if we have a Sysmon configuration compatible with previous versions of Sysmon.
This seems to be a problem with the configuration defined in the sysmonconfig.xml, whose schema version is 4.60 and the Sysmon schema version is 4.23, so for your Sysmon installed version (10.42 I guess), the Sysmon configuration provided by Wazuh through the blog you mentioned, it is not compatible.
I will ask my coworkers about this topic.
But it seems to be clear you need to install a Sysmon version compatible with the operating system and the Sysmon configuration has to be compatible with the Sysmon version installed.
I don't know if we have a Sysmon configuration compatible with previous versions of Sysmon.
On Thursday, May 11, 2023 at 11:17:15 AM UTC+2 Donatas Kalvaitis wrote:
Yes, i did this, now i have another error
----
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/wJb7ajGZ1iw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a54788e0-85fe-409d-b20e-59ce76b525abn%40googlegroups.com.
Donatas KalvaitisAirių g. 31-2, Vilnius8-687-42983
Donatas Kalvaitis
May 11, 2023, 10:17:28 AM5/11/23
to Wazuh mailing list
Thank you Antonio, I'll wait.
Antonio David Gutiérrez
May 12, 2023, 3:52:33 AM5/12/23
to Wazuh mailing list
Hi Donatas,
A co-worker indicated that he was able to install Sysmon 13.01 on Windows Server 2008 RC2 SP1. I asked him to check if he can use the provided sysmonconfig.xml file without errors. If I get a successful response, then I will reply in this thread.
I was researching and I got Sysmon 13.02 downloaded from http://web.archive.org/web/20210410215018/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon but I got errors due to the configuration used. I used the provided sysmonconfig.xml file from the blog https://wazuh.com/blog/detecting-blackcat-ransomware-with-wazuh/.
My suggestion is that if you are interested to detect the BlackCat ransomware with Wazuh on Windows Server 2008 RC2 SP1, you could give a try to install the latest Sysmon compatible version with the OS and try to adapt the provided sysmonconfig.xml file to work with the Sysmon installed version. The provided sysmonconfig.xml file seems to have so many configurations but only a subset of them are needed to detect this ransomware. Possibly you can remove or adapt the configuration that gives problems ensuring the configuration related to the ransomware is defined as possible. To do this, you can check the Wazuh rules defined on the blog, locate what Sysmon configuration retrieves that data, and ensure this configuration is compatible with the installed Sysmon. If you find errors in configurations that are not related to the detection of the ransomware, then you could remove or adapt them to work with the installed Sysmon version.
Another Sysmon compatible version with Windows Server 2008 RC2 SP1
Sysmon 13.02: http://web.archive.org/web/20210410215018/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon 13.10: http://web.archive.org/web/20210430113957/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
A co-worker indicated that he was able to install Sysmon 13.01 on Windows Server 2008 RC2 SP1. I asked him to check if he can use the provided sysmonconfig.xml file without errors. If I get a successful response, then I will reply in this thread.
I was researching and I got Sysmon 13.02 downloaded from http://web.archive.org/web/20210410215018/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon but I got errors due to the configuration used. I used the provided sysmonconfig.xml file from the blog https://wazuh.com/blog/detecting-blackcat-ransomware-with-wazuh/.
My suggestion is that if you are interested to detect the BlackCat ransomware with Wazuh on Windows Server 2008 RC2 SP1, you could give a try to install the latest Sysmon compatible version with the OS and try to adapt the provided sysmonconfig.xml file to work with the Sysmon installed version. The provided sysmonconfig.xml file seems to have so many configurations but only a subset of them are needed to detect this ransomware. Possibly you can remove or adapt the configuration that gives problems ensuring the configuration related to the ransomware is defined as possible. To do this, you can check the Wazuh rules defined on the blog, locate what Sysmon configuration retrieves that data, and ensure this configuration is compatible with the installed Sysmon. If you find errors in configurations that are not related to the detection of the ransomware, then you could remove or adapt them to work with the installed Sysmon version.
Another Sysmon compatible version with Windows Server 2008 RC2 SP1
Sysmon 13.02: http://web.archive.org/web/20210410215018/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon 13.10: http://web.archive.org/web/20210430113957/https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Reply all
Reply to author
Forward
0 new messages