Saw this on Feedly as I futiley try to keep up with security feeds: How to track that annoying pop-up. Yeah, yeah, yeah, sysinternals, sysmon, tasks, blah blah, sort of junior sysadmin stuff. Wait, what is this at the end of the article? A throwaway mention of and link to SwiftOnSecurity’s sysmon-config custom config file for monitoring systems. Now we’re talking!
You can pay the bucks for a badass product to do your system monitoring for you. Or you can roll your own temporary solution for small troubleshooting tasks. And then there’s that huge grey area in the middle for small-medium environments where you might not have the budget but still want to do better logging. This looks like a nice way to hit the ground running with sysmon on the cheaper “roll your own” side of things.
I’ve, of course, used and considered SysInternals tools as toolkit staples since before I started professional work in IT. And yet, 15 years later, they still surprise me! I hadn’t seen that Sysmon could be used in such a way. Some tips are available here, and the official information found here.
I now need to remember to set this up on my lab boxes every time I refresh them…