The Finest Hand-Selected Downloads
Individually reviewed & tested
Store News

Sysinternals unveils Sysmon 6.0

17 February 2017, Mike Williams

SysmonMicrosoft Sysinternals has shipped Sysmon 6.0, a powerful system monitor for Windows.

The new release can log processes which are accessing other processes, a simple way to detect automated Mimikatz-like credential dumping.

Sysmon logs Registry object creates, deletes, value sets and renames, and these all now use “friendly” key names for improved readability.

New named pipe events (“Pipe Created” and “Pipe Connected”) may help you spot communications between separate malware processes.

Sysmon configuration changes are now logged as a separate event, making it much more difficult for anyone or anything else to secretly change your setup.

Maybe most useful, especially for novices, is a new switch to dump Sysmon’s entire configuration schema: sysmon -s

The switch enables viewing Sysmon’s current settings, and makes it easier to customise the program with your own filters. A recent Mark Russinovich presentation had some neat examples of just how powerful these can be.

Here’s a filter which logs only Chrome network activity.

<NetworkConnect onmatch=“include”>
<Image condition=”contains”>chrome.exe</Image>
</NetworkConnect >

This one excludes Microsoft-signed image loads.

<ImageLoad onmatch=”exclude”>
<Signature condition=”contains”>microsoft</Signature>
</ImageLoad>

It takes much longer to master Sysmon than Sysinternals’ other tools, but if you need industrial-strength system monitoring then it’s certainly worth the effort. Take a look.

Sysmon 6.0 is available now for Windows 7 and later.

Your Comments & Opinion

45,034,316
Downloads
Secure & Tested Software
6,482
Reviews
Instant Download 24/7
315,166
Members
10+ Years of Service