This makes it possible to detect and understand malicious or anomalous activities. Administrators can collect and analyze events created using Windows Event Collection or SIEM agents. The tool provides detailed information about process creation, network connections and file creation time changes. System Monitor (Sysmon) is a Windows system service and device driver that remains resident on a system through system reboots after installation to monitor system activity and write it in the Windows event log. In the Sysinternals tools there is the program Sysmon, which even received an update a few days ago (see Sysinternals: Sysmon V8.0, Autoruns V13.90). Well, it’s a little esoteric that I just came across. Perhaps interesting for one or the other reader. How can we extract the data obtained by Sysmon like ProcessGUIDs, ParentProcessGUIDs, LogonGUIDs? Someone wrote a small PowerShell script.
0 Comments
Leave a Reply. |