Sysmon: A Windows Hidden Gem
Updated: Jan 25, 2021
Sysmon (system monitor) is a Windows system device and device driver. It monitors and logs system activities and provides more detailed logs than the native windows tools. Sysmon can be used to identify malicious activity and understand how an attacker or malware may move through your network.
While Sysmon is a Windows tool, it is not preinstalled and requires a separate download from Microsoft. Sysmon also does not analyze the logs it collects itself; that job is left to you. It also does not try and hide itself from attackers and it can be deleted easily in an attack.
Sysmon is a really useful tool due to its numerous features. Some of Sysmon's features include logging process creation for both current and parent processes, record the hash values of process image files, and allows for multiple hashes to be used at once. One of Sysmon's particularly useful features is that it assigns process and session GUIDs to allow for event correlation and this means that you can track events to a specific login or user session. Sysmon also logs the loading of drivers and DLLs with their signatures and hashes.
It can also log a lot of data about network connections such as IP addresses, port names and numbers, hostnames, and each connections source process. Sysmon detects changes in file creation time which is a useful forensic tool. Sysmon allows for rule filtering so it can be tailored to your specific needs. Finally, sysmon logs events from early on in the boot process to help capture activity made by kernel mode malware.
Sysmon is so useful because of how much more detailed its logs are. Below is a standard Windows log of process creation; it provides some information such as process info like the name and process ID.
However, when compared to a sysmon log, it seems sparse in its information. Below is a Sysmon log of a process creation and it shows much more information.
Here, we can see some of the features discussed above, such as hash values and the GUIDs that allow for event correlation.
Sysmon uses its own Event ID system and adds 24 IDs specific to Sysmon. An example of some of these ID's include Event ID 1 (shown above, process creation) , Event ID 3 (network connection), Event ID 5 (Process termination), and event ID 11 (file creation). Event ID 255 is a sysmon failure.
Sysmon also adds its own log inside of the Windows Event Viewer, which allows for it to be looked through quicker. Sysmon is non-intrusive and can be accessed alongside the native Windows logs.