Incident Response

CRT01 Sysmon 101


9:15am - 10:30am

Level: Introductory to Intermediate

Andy Milford



Created by Mark Russinovich as part of Microsoft's Free Sysinternals suite of tools, Sysmon is an amazingly customizable and powerful tool in the security professional's arsenal.

Deployed on Windows hosts, be they servers or workstations, Sysmon captures and logs all sorts of actionable data about potentially nefarious activity taking place on your systems, and goes far beyond what standard Windows Security Log auditing can provide. Want to know when malware is creating files in suspect directories? Want to know when an attacker is establishing certain types of network connections (e.g. RDP/FTP) to exfiltrate data? Want to know when Autorun registry locations are being changed, or when a user accesses the clipboard? Want to see all the DNS queries a user makes? Deploy Sysmon!

In this introductory level session, Andy will quickly show you what Sysmon audits, how to customize its XML file, and how to quickly deploy it to your systems using another great Sysinternals tool, PSEXEC. We'll also discuss ways to control the data it produces prior to SIEM/SIM ingestion, and how to write PowerShell scripts with event log triggers to act on certain Sysmon events.

You will learn:

  • About the types of events Sysmon detects and where those events are logged
  • About how to tune the types of events Sysmon detects, and how to deploy Sysmon on their systems
  • How to create basic triggers with Scheduled Tasks and PowerShell when certain types of activity is detected by Sysmon