Over the years there have been numerous blog posts written on using Sysmon as a data collection source for endpoint visibility and threat hunting. Most recently updated on January 5, 2018, v7.01 supports twenty-two different Event IDs ranging from process execution events (EID 1 & 5), network connection events (EID 3), image load events (EID 7), named pipe events (EID 17 & 18), WMI events (EID 19, 20 & 21), all the way to registry events and much more! Sysmon (System Monitor) is part of Microsoft's Sysinternals Suite and was written by Mark Russinovich ( - thanks, Mark! The Sysmon driver installs as a service and logs numerous Windows events to the Microsoft-Windows-Sysmon/Operational event log. This blog post highlights a bug I found in Sysmon's event logging that contaminates process command line argument logging and adversely affects at least two different tools used for viewing Windows event logs.įirst of all, I have been a fan of using Sysmon in my personal testing lab setup since its original release in 2014.
Over the past nine months I have spent significant time researching new obfuscation and evasion techniques, and a good portion of this time I have spent validating the effects of these techniques on numerous detection artifacts and tool sets. However, a skilled DFIR practitioner values the confidence gained from cross-validating one tool's results with those produced by similar tools. As a defender I am continuously testing, tuning and re-testing a plethora of detection ideas across many complementary detection frameworks.
0 kommentar(er)
