I was recently shown this lovely little software that un-intrusively runs in the background of Windows environments and gathers data similar to KACE, plus added data such as network connections so I figured I'd share it with everyone else.
This software is provided for free by Microsoft and can easily be deployed by KACE and then read by a centralized server or software (ours pours data into Splunk.)
Sysmon includes the following capabilities:
- Logs process creation with full command line for both current and parent processes.
- Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
- Multiple hashes can be used at the same time.
- Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
- Include a session GUID in each events to allow correlation of events on same logon session.
- Logs loading of drivers or DLLs with their signatures and hashes.
- Logs opens for raw read access of disks and volumes
- Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
- Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
- Automatically reload configuration if changed in the registry.
- Rule filtering to include or exclude certain events dynamically.
- Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.
Installing through KACE was easy enough for us. We simply added the software and then used the following additional parameters:
-accepteula –i –h md5,sha256 –n
Hopefully some of you are able to get use out of this software as well.