Using Sysmon v6.01 to Really See What’s Happening on Endpoints; It’s Better than the Windows Security Log

Webinar Registration

Sysmon v6.01 is out from Windows Sysinternals and is even better than ever. This tiny free tool by Windows experts Mark Russinovich and Thomas Garnier runs in the background and provides efficient but powerful tracking of key security activity that is critical to catch today's adversaries.

Why do you need Sysmon when Windows already has the Security Log? Where Sysmon overlaps with the Security Log it has 3 advantages:

  1. Sysmon events provide more information than corresponding events in the Security Log
    • Sysmon logs the hash of EXEs – not just the EXE name like event ID 4688
    • And you get the full command line of not just the child process but the parent, too
    • Sysmon provides a GUID for processes instead just the Process ID which Windows reuses and therefore not unique; complicating correlation and attribution
  2. Sysmon tracks activities used now by advanced attackers that Windows auditing doesn't – thereby generating events that just don't exist in the Security Log
    • DLL loads
    • Raw file system activity
    • Remote thread creation
  3. Sysmon's configuration is more granular than Windows auditing so you have better ability to get the events you want without dealing with all the noise
    • We can filter out device driver loads signed by Microsoft for instance

Let me be clear, Sysmon is not and never will be a complete replacement for the Windows Security Log altogether. But where they overlap you definitely want to at least understand and probably start using Sysmon instead.

I'll show you:

  • How Sysmon works
  • How to deploy Sysmon to endpoints
  • What types of activity Sysmon tracks
  • How to configure Sysmon
  • How to iteratively refine Sysmon noise filters

I'll also show you some great scenarios for how to analyze Sysmon with your SIEM. For instance, we'll set up a real time dashboard to track:

  • Unrecognized program hashes
  • Where they are being loaded,
  • And by whom
  • Endpoints that show multiple indicator of compromise within a short time

LogRhythm is our sponsor for this real-training-for-free ™ event and I think you'll be impressed by how their SIEM platform understands similar events from multiple sources. This enables you to apply the same rules and correlation to things like process start event whether they came from Windows auditing, sysmon or an EDR solution like Carbon Black. Jake Reynolds, a Technical Alliances Engineer, will round out our presentation by highlighting some threat detection modules (User, Network, and End Point) and AIE rules designed to detect threat based on a number of log sources including SysMon and Carbon Black.

This is some deep, technical goodness – don't miss it.

First Name:   
Last Name:   
Work Email:  
Phone:  
Organization:  
Country:    
State:  
Job Title:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources