/build/static/layout/Breadcrumb_cap_w.png

Sysmon - the simple KACE companion

I was recently shown this lovely little software that un-intrusively runs in the background of Windows environments and gathers data similar to KACE, plus added data such as network connections so I figured I'd share it with everyone else.

This software is provided for free by Microsoft and can easily be deployed by KACE and then read by a centralized server or software (ours pours data into Splunk.)

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Sysmon includes the following capabilities:

  • Logs process creation with full command line for both current and parent processes.
  • Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
  • Multiple hashes can be used at the same time.
  • Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
  • Include a session GUID in each events to allow correlation of events on same logon session.
  • Logs loading of drivers or DLLs with their signatures and hashes.
  • Logs opens for raw read access of disks and volumes
  • Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
  • Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
  • Automatically reload configuration if changed in the registry.
  • Rule filtering to include or exclude certain events dynamically.
  • Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

Installing through KACE was easy enough for us. We simply added the software and then used the following additional parameters:

-accepteula –i –h md5,sha256 –n


Hopefully some of you are able to get use out of this software as well.


Comments

This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ