Sysmon 10 is finally here!!

Hello All. As many people who know me can attest, I am a huge fan of Sysmon. I have presented at a lot of cons about it and recommended it many times to customers. As much as I loved Mark Russinovich‘s product before, the following major updates he has made are mind blowing.

  1. OriginalFileName, which adds the PE Original Filename to EventID 1 and 7
  2. EventType to Named Pipe events (EventID 17 and 18)
  3. DNS events (EventID 22)

OriginalFileName

Looking at the EventLog, the Process Create and Image Load events have the OriginalFileName field added to them, this is derived from the PE header of the file. This will make it a lot harder for malware and/or actors to rename binaries to try and avoid detection based on the original file name / path.

Named Pipe EventType

This now allows for instance filtering on ConnectPipe (18) events to only see the creation, saving a lot of data.

DNS

Now, this is the update that I have been so excited about. The addition of EventID 22, or DNS logging – see the example (from medium.com) below:

If course, Sysmon 10, as with the other Sysinternals tools, can be downloaded from Microsoft

SwiftOnSecurity also has an alpha configuration available on his website – download it here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.