Mark Russinovich új programja a sysmon névre hallgat. A rendszer aktivitást naplózza az Event Logba, bővebben: itt
Overview of Sysmon Capabilities
Sysmon includes the following capabilities:
* Logs process creation with full command line for both current and parent processes.
* Records the hash of process image files using SHA1 (the default), MD5 or SHA256.
* Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
* Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
* Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
* Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.