Event Logs
Commands:
Get-EventLog -ListSYSTEM MONITOR (SYSMON) SYSINTERNALS SUITE
1)
Get-Process | Where-Object {$_.ProcessName -eq "Sysmon"}2)
Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"3)
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon\Operational4)
findstr /si '<ProcessCreate onmatch="Exclude">' c:\tools\*Last updated