THM Room: Sysmon

Introduction

What?

Sysmon (SysInternals Suite) can be used for monitoring and logging events on Windows endpoints and environments.

Why?

To detect malicious activity by tracking code and network traffic.

How?

• Event IDs

• Cutting out the noise

• Hunting metasploit

• Detecting mimikatz

• Hunting malware

• Hunting persistence

• Detecting evasion techniques

• Practical investigations