Using Sysmon v6.01 to Really See What’s Happening on Endpoints; It’s Better than the Windows Security Log

Webinar Registration

Sysmon v6.01 is out from Windows Sysinternals and is even better than ever. This tiny free tool by Windows experts Mark Russinovich and Thomas Garnier runs in the background and provides efficient but powerful tracking of key security activity that is critical to catch today's adversaries.

Why do you need Sysmon when Windows already has the Security Log? Where Sysmon overlaps with the Security Log it has 3 advantages:

Sysmon events provide more information than corresponding events in the Security Log
- Sysmon logs the hash of EXEs – not just the EXE name like event ID 4688
- And you get the full command line of not just the child process but the parent, too
- Sysmon provides a GUID for processes instead just the Process ID which Windows reuses and therefore not unique; complicating correlation and attribution
Sysmon tracks activities used now by advanced attackers that Windows auditing doesn't – thereby generating events that just don't exist in the Security Log
- DLL loads
- Raw file system activity
- Remote thread creation
Sysmon's configuration is more granular than Windows auditing so you have better ability to get the events you want without dealing with all the noise
- We can filter out device driver loads signed by Microsoft for instance

Let me be clear, Sysmon is not and never will be a complete replacement for the Windows Security Log altogether. But where they overlap you definitely want to at least understand and probably start using Sysmon instead.

I'll show you:

How Sysmon works
How to deploy Sysmon to endpoints
What types of activity Sysmon tracks
How to configure Sysmon
How to iteratively refine Sysmon noise filters

I'll also show you some great scenarios for how to analyze Sysmon with your SIEM. For instance, we'll set up a real time dashboard to track:

Unrecognized program hashes
Where they are being loaded,
And by whom
Endpoints that show multiple indicator of compromise within a short time

LogRhythm is our sponsor for this real-training-for-free ™ event and I think you'll be impressed by how their SIEM platform understands similar events from multiple sources. This enables you to apply the same rules and correlation to things like process start event whether they came from Windows auditing, sysmon or an EDR solution like Carbon Black. Jake Reynolds, a Technical Alliances Engineer, will round out our presentation by highlighting some threat detection modules (User, Network, and End Point) and AIE rules designed to detect threat based on a number of log sources including SysMon and Carbon Black.

This is some deep, technical goodness – don't miss it.

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Organization:	Required
Country:	Required
State:	Required
Zip/Postal Code:	Required
Job Title:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.