- Jan 21, 2018
- 814
"System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers."
What interests me most about this version of Sysmon is as described in a Ghacks article -
"Sysmon 11.0 adds a new event to the list of monitored activity on Windows devices. Event 23, FileDelete, monitors all file removal activity on the Windows machine; this gives administrators options to see all files that were deleted on a system while Sysmon was active.
One of the reasons for adding file delete monitoring came from Microsoft's own experience. The company noted that attackers who successfully got into company machines would drop tools on the machine, use these, and delete these when they were done. The new file delete monitoring provides analysts with information about the tools that the attacker used on the system. Naturally, file deletion activity covers other types of deletions as well when it is used."
Has anyone here used it yet to check how well it manages this task?
Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers."
Sysmon - Sysinternals
Monitors and reports key system activity via the Windows event log.
docs.microsoft.com
What interests me most about this version of Sysmon is as described in a Ghacks article -
"Sysmon 11.0 adds a new event to the list of monitored activity on Windows devices. Event 23, FileDelete, monitors all file removal activity on the Windows machine; this gives administrators options to see all files that were deleted on a system while Sysmon was active.
One of the reasons for adding file delete monitoring came from Microsoft's own experience. The company noted that attackers who successfully got into company machines would drop tools on the machine, use these, and delete these when they were done. The new file delete monitoring provides analysts with information about the tools that the attacker used on the system. Naturally, file deletion activity covers other types of deletions as well when it is used."
Sysmon 11.0 is out with file delete monitoring - gHacks Tech News
Sysmon 11.0 is a new version of the specialized system monitoring tool for windows; the new version supports the logging of file delete events among other things.
www.ghacks.net
Has anyone here used it yet to check how well it manages this task?