On November 23rd Microsoft / Sysinternals released a new version of Sysmon. Sysmon installs as a service and provides detailed logging information on items that are not normally logged in default Windows logging configurations.
Sysmon can be used to troubleshoot server issues, but today I want to outline how it can be used to detect Malware or other malicious activity on hosts.
This is far beyond the level of detail that a Security event log will show.
Now you know that a malicious piece of code was executed on your system, but you are still unsure if this piece of malware is communicating back to an attacker. Fear not, Sysmon has you covered there as well.
Shortly after Event ID1 was logged, we see an Event ID3 (NetworkConnect):
I hope to make a few more posts covering Sysmon, including more advanced configurations, filtering out noisy events, the detection of Mimikatz ( https://github.com/gentilkiwi/mimikatz ) and how to work with Sysmon events via PowerShell.