Sysmon, short for System Monitor, is a utility tool developed by Mark Russinovich, as part of the Sysinternals suite. The utility is registered in a Windows box as a system service and a device driver, which in sync, help log activities across the environment to the Windows Event log. Just a quick analysis of the logs generated by Sysmon can help identify malware, intrusions, and breaches within the network.
What Does Sysmon Do?
Due to active development of the project, newer artifacts and evidence sources are constantly being added to Sysmon’s capabilities. However, you can get a quick idea on how Sysmon can aid you in identifying anomalous activities by checking this short list of features: