At times it is very difficult to detect some very specific cases like finding hash of the file/image, full command line for processes creating other processes just by looking into native event logs from Event Viewer. For this purpose we need something extra. Extra that can provide more concrete evidence of an event that helps in forensic analysis.
This is where Sysmon comes in handy. As per Microsoft, Sysmon provides the following capabilities:
This is where Sysmon comes in handy. As per Microsoft, Sysmon provides the following capabilities:
- “Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5 or SHA256.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.”
No comments:
Post a Comment