Sysmon

Sysmon (short for System Monitor) is a Windows system service and device driver that provides advanced system monitoring capabilities, allowing for more detailed insights into system activities and potential security threats. Developed by Microsoft, Sysmon can detect and log various types of system events, such as process creation, file creation, network connections, and registry modifications, providing a more comprehensive view of system activity than what is available through traditional Windows event logging.

Sysmon works by installing a kernel driver that intercepts system events and sends them to the Sysmon service for processing. Sysmon uses a set of pre-defined rules to filter and categorize events, and then logs the relevant information to the Windows event log. The logs generated by Sysmon can be analyzed by security analysts or threat hunters to identify potential security threats or unusual system activity.

Those rules are usually setup in a way that cuts out the "noise", aka events that are caused by standard behaviours :

<RuleGroup name="" groupRelation="or">
	<DnsQuery onmatch="exclude">
	 	<QueryName condition="end with">.microsoft.com</QueryName>
	</DnsQuery>
</RuleGroup> 

The above rule excludes DNS requests to microsoft.com, a very common artefact that is normal on Windows systems (due to updates being queried)

On the other hand, rules can also be written to quickly identify unusual behaviours :

<RuleGroup name="" groupRelation="or">
	<RegistryEvent onmatch="include">
		<TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\Run</TargetObject>
		<TargetObject name="T1484" condition="contains">Group Policy\Scripts</TargetObject>
		<TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Run</TargetObject>
	</RegistryEvent>
</RuleGroup>

The above rule targets events in which the "TargetObject" field contains registry (sub)keys used by malicious actors for persistence purposes.