System Monitor (Sysmon) is a security utility developed by Microsoft CTO Mark Russinovich together with Thomas Garnier.

Sysmon enriches Windows event logs with additional events that are not natively available on Windows operating systems including network connections, registry changes, file creations, and WMI events. These additional event logs provide valuable information in detecting malicious behaviour.

Since Sysmon events leverage Windows Event logs we can centrally capture the logs using a Windows Event Forwarding (WEF) Collector, and then funnel the events to the Elastic Stack for analysis. Some example detections where Sysmon provides value:

  • network connection to/ from/ between devices that are not expected.
  • monitoring autostart locations, like the Startup folder, for file creations.
  • detecting abuse of WMI event subscriptions.

In addition to the above pro-active detection scenarios, Sysmon enriched logs provide value in completing forensic investigations.

See the Sysmon site for details on the event IDs.