I was recently shown this lovely little software that un-intrusively runs in the background of Windows environments and gathers data similar to KACE, plus added data such as network connections so I figured I'd share it with everyone else.

This software is provided for free by Microsoft and can easily be deployed by KACE and then read by a centralized server or software (ours pours data into Splunk.)

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Sysmon includes the following capabilities:

  • Logs process creation with full command line for both current and parent processes.
  • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
  • Multiple hashes can be used at the same time.
  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
  • Include a session GUID in each events to allow correlation of events on same logon session.
  • Logs loading of drivers or DLLs with their signatures and hashes.
  • Logs opens for raw read access of disks and volumes
  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
  • Automatically reload configuration if changed in the registry.
  • Rule filtering to include or exclude certain events dynamically.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

Installing through KACE was easy enough for us. We simply added the software and then used the following additional parameters:

-accepteula –i –h md5,sha256 –n


Hopefully some of you are able to get use out of this software as well.