Sysmon (System Monitor)
Here we’ll be discussing System Monitor. It is the new tool in the Sysinternal Suite released recently by Mark Russinovich and Thomas Garnier both from Microsoft. Sysmon is very helpful as it gives detailed monitoring about the operating system from starting the process to all the network and ending with the discovery of different types of exploitation techniques.
It records all happening in pretty detail as :
- Process Creation with the full command line for both current and parent processes. In addition, it will record the hash of the processed image using either MD5, SHA1 or SHA256. In addition, it will record the process GUID when it is created for better correlation since Windows may reuse a process PID.
- Network connection from the host to another. It records source process, IP addresses, port numbers, hostnames and port names for TCP/UDP connections.
- Changes to the file creation time of a file.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
- 0 Comment