The famous Mark Russonovich at Microsoft Sysinternals continues to actively update Sysmon. Sysmon goes above and beyond the Windows Security Log in certain areas where deeper telemetry is needed to detect sophisticated attacks.
Sysmon provides deeper logging on:
- The code running on your endpoints
- Network connections
- Interaction between processes
- Registry access
- File system tampering
- WMIEvent* object activity
- DNS queries
- Clipboard
In this webinar I will provide an introduction to Sysmon and then focus in on its latest event IDs. First, we’ll cover Sysmon:
- Installation
- Configuration
- Areas of system activity covered
Then we’ll zero in on new Event IDs added since my last update on Sysmon. These include:
- 22: DNSEvent (DNS query)
- 23: FileDelete (A file delete was detected)
- 24: ClipboardChange (New content in the clipboard)
- 25: ProcessTampering (Process image change)
We are adding examples of all these events to the Security Log Encyclopedia right now.
You can usually trace any new feature Mark adds to Sysmon to techniques used by the bad guys and I’ll help you see how these new events correspond to specific techniques in MITRE ATT&CK.
Join us for this real training for free session!