Sysmon

Introduction

System Monitor (Sysmon) offers us additional event logging capabilities to detect IOC and other unwanted behavior. It remains active during reboots to monitor and log system activity.

Sysmon for linux also exists!

Sysmon Event ID's

Sysmon has it's own event ID's seperate from Windows Event Logs.

Event ID 1: Process Creation Events
Event ID 3: Network Connection Events
Event ID 7: DLL Load Events

Sysmon - Sysinternalsdocsmsft

PreviousWindows Event Logs NextEvent Tracing for Windows (ETW)

Last updated 8 months ago