IT Support: System Internals

Sysinternals Utilities Index

https://docs.microsoft.com/en-us/sysinternals/downloads/

Sysmon v7.01

By Mark Russinovich and Thomas Garnier

Published: January 5, 2018

DownloadDownload Sysmon(1.4 MB)

Introduction

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.

Overview of Sysmon Capabilities

Sysmon includes the following capabilities:

  • Logs process creation with full command line for both current and parent processes.
  • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
  • Multiple hashes can be used at the same time.
  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
  • Include a session GUID in each events to allow correlation of events on same logon session.
  • Logs loading of drivers or DLLs with their signatures and hashes.
  • Logs opens for raw read access of disks and volumes
  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
  • Automatically reload configuration if changed in the registry.
  • Rule filtering to include or exclude certain events dynamically.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

 

Mark’s Blog

Mark Russinovich’s technical blog covering topics such as Windows troubleshooting, technologies and security.

https://blogs.technet.microsoft.com/markrussinovich/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

LearningLovers.org

EdTech Innovation

eLearning and the Innovation of the Academy

"When the wind of change blows, some people build walls, others build windmills." - Chinese proverb

Wikifreedom

All about freedom of articles, opinions, science, everything

danilouann

Product tester / Blogger

General Health Magazine

Official General Health Magazine page for women and men! Free advice to become more healthier, smarter, fashionable, confident and successful.

%d bloggers like this: