Sysmon, A Lightweight Tool That Watches For Malicious System Activity

Mark Russinovich's "Sysinternals Suite", which includes the likes of Process Explorer, Process Monitor, Autoruns and TCPView, is one of the most invaluable collections of free tools ever assembled for Windows. Russinovich has just added a new weapon to this already comprehensive arsenal -- Sysmon, a command-line program that watches for system events, particularly those associated with malicious behaviour.

Sysmon is similar to Process Monitor, in that it lets you record Windows events in real-time. It's a great way to observe the actions of applications that aren't working as they should and even track down nefarious processes. The difference with Sysmon is three-fold -- it has no user interface and is instead launched from the command-line, after which it remains active; it can record the hashes of processes, using MD5, SHA1 or SHA256 and it can capture events during boot, where kernel-mode nasties tend to do their work.

To get it running, download the Sysmon ZIP from Microsoft, extract it to a convenient folder, crack open a terminal in that directory and type the following:

sysmon –i -accepteula –h md5 –n

This will install Sysmon as a resident program, monitoring network connections and creating hashes of new processes. You can replace "md5" with "sha256" or "sha1", with the last of these being the default and more than good enough to avoid collisions.

Sysmon can also tell when a file has had its creation timestamp modified and in some cases, determine its actual creation date. As the tool's page points out, this is common behaviour for a trojan or virus when it overwrites a system file and attempts to hide itself.

While Process Monitor scores higher in terms of user-friendliness, Sysmon has a place if you enjoy a more hands-on approach to system security. You don't always need the bloat of a full anti-virus suite and with the exception of watching for virus signatures, Sysmon provides most of the "real-time" monitoring features the big-name (and non-free) packages provide.

Sysmon v1.0 [Microsoft, via ZDNet]


Comments

    >micorsoft
    It probably secretly kills computers running xp or vista.

      Russinovich and the SysInternals guys got bought out by Microsoft a long time ago (as they were better than MS's own guys when it comes to this stuff) but have basically been left to keep doing their own thing. Their tools have been around for over 10 years now, there's no reason to not trust them.

Join the discussion!