I have heard about Sysmon for a long time. The past few weeks I have been getting into it and I gotta say, I wish I had gone down this path sooner. Just the sheer reach and configurability is both amazing and daunting, all rolled into one small executable that can be downloaded from Sysinternals.
I have very recently doing a deep dive on it as part of my troubleshooting for the mystery servers in the cloud that have been slowing to a standstill every week. As of right now I think that it will be a big part of figuring out why it is happening.
Also, during the last commutes to and from work, I watched this YouTube video by Eric Conrad which has been enlightening – he is one of those people that orates very, very well. He has a passion for what he is talking about and makes it so that you are hanging on each point in the presentation. I had to watch it a few times to catch all the great points he makes
Links
- Customized, high quality Sysmon config by Neo23x0 – a great starting point if you need a solid config to run out of the gate. Optimized to reduce noise and show important events
- Modular approach to Sysmon configuration – a fantastic, code block-based way to build your own config. Included in the repo is a PS function that makes the process even easier. The developer is a Microsoft MVP and frequently updates the repo
- TrustedSec’s Sysmon Community Guide
- Tracking Malware with Import Hashing (Mandiant) – Until Eric’s talk below I had never heard of “Imphashes”