My take -
@MarkRussinovich did a very good presentation at RSAC covering the use of Sysmon to hunt hackers on your network.
From the article:
“Windows Forensic Monitoring Limitations -
- When attackers or malware get on your network, you need to
- construct a timeline
- What was the entry point?
- Did it spread between systems?
- What happened on a particular system?
- Built-in Windows tooling make it hard to answer these questions:
- Limited information captured for process creates and DLL loading
- Network connection information simultaneously too limited and verbose
- No way to capture common attacker behavior (e.g. thread injection)…”