Tracing Malicious Activity On Windows With Sysmon

For Windows IT professionals, perhaps the most popular set of troubleshooting tools is Sysinternals, the creation of none other than Mark Russonivich, Microsoft’s CTO of Azure.

The Sysinternals suite has a fantastic array of tools such as PSExec, Process Monitor and Process Explorer among many others. One tool in particular that is a favorite among security professionals is Sysmon. Sysmon is a service and device driver, that once installed on a system, logs indicators that can greatly help track malicious activity in addition to help with general troubleshooting.


What Does Sysmon Log Do?

One great feature of Sysmon is that it logs many important events in one place. Instead of attempting to combine events from different logs to troubleshoot, depending on the information you are looking for, you can just view the Sysmon log instead.

Related Article: Advanced PowerShell Functions: Upping Your Game

In this current release (v6.10) Sysmon logs these events:

  • Process creation and termination with image file hash
  • Network connections including source process, IP addresses, port numbers hostnames
  • Changes to file creation time
  • Driver and image loading
  • Remote threads
  • Raw disk access
  • Process memory access


Leave a Reply

Your email address will not be published. Required fields are marked *