Mark Russinovich’s “Sysinternals Suite”, which includes the likes of Process Explorer, Process Monitor, Autoruns and TCPView, is one of the most invaluable collections of free tools ever assembled for Windows. Russinovich has just added a new weapon to this already comprehensive arsenal — Sysmon, a command-line program that watches for system events, particularly those associated with malicious behaviour.
Sysmon is similar to Process Monitor, in that it lets you record Windows events in real-time. It’s a great way to observe the actions of applications that aren’t working as they should and even track down nefarious processes. The difference with Sysmon is three-fold — it has no user interface and is instead launched from the command-line, after which it remains active; it can record the hashes of processes, using MD5, SHA1 or SHA256 and it can capture events during boot, where kernel-mode nasties tend to do their work.
To get it running, download the Sysmon ZIP from Microsoft, extract it to a convenient folder, crack open a terminal in that directory and type the following:
sysmon –i -accepteula –h md5 –n
This will install Sysmon as a resident program, monitoring network connections and creating hashes of new processes. You can replace “md5” with “sha256” or “sha1”, with the last of these being the default and more than good enough to avoid collisions.
Sysmon can also tell when a file has had its creation timestamp modified and in some cases, determine its actual creation date. As the tool’s page points out, this is common behaviour for a trojan or virus when it overwrites a system file and attempts to hide itself.