aka sysmon
a system service and device driver stay after restart
Sysmon’s primary components include:
- A Windows service for monitoring system activity.
- A device driver that assists in capturing the system activity data.
- An event log to display captured activity data.
sysmon also have linux version
here isfull event ID
Install
sysmon.exe -i -accepteula -h md5,sha256,imphash -l -nUpdate
sysmon.exe -c sysmonconfig-export.xmlExample
DLL Hijacking
Focus on Event type 7
modify sysmonconfig-export.xml and turn onmatchto exclude
focus on .dll load out of System32