Thursday, August 28, 2014

Sysmon

Sysmon is a new tool from the Sysinternals collection. It aims at logging sensitive operations inside MS windows performed  by processes. This includes process creation details, network connections by a process and changing the creation date of a file. The latter is a common behavior of malwares (although may be the action of a legitimate processes).
After download, it could be installed by the following command:

Sysmon.exe -i -h sha256 -n

It becomes a system service which starts at boot time. After installation, you should use the windows Event Viewer and navigate to Applications and Services Logs/Microsoft/Windows/Sysmon/Operational to view its logs. 

No comments:

Post a Comment