Sysinternals unveils Sysmon 6.0

Microsoft Sysinternals has shipped Sysmon 6.0, a powerful system monitor for Windows.

The new release can log processes which are accessing other processes, a simple way to detect automated Mimikatz-like credential dumping.

Sysmon logs Registry object creates, deletes, value sets and renames, and these all now use "friendly" key names for improved readability.

New named pipe events ("Pipe Created" and "Pipe Connected") may help you spot communications between separate malware processes.

Sysmon configuration changes are now logged as a separate event, making it much more difficult for anyone or anything else to secretly change your setup.

Maybe most useful, especially for novices, is a new switch to dump Sysmon’s entire configuration schema: sysmon -s

The switch enables viewing Sysmon’s current settings, and makes it easier to customize the program with your own filters. A recent Mark Russinovich presentation had some neat examples of just how powerful these can be.

Here’s a filter which logs only Chrome network activity.

<NetworkConnect onmatch="include">
<Image condition="contains">chrome.exe</Image>
</NetworkConnect >

This one excludes Microsoft-signed image loads.

<ImageLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
</ImageLoad>

It takes much longer to master Sysmon than Sysinternals’ other tools, but if you need industrial-strength system monitoring then it’s certainly worth the effort. Take a look.

Sysmon 6.0 is available now for Windows 7 and later.