More SysmonMaps and ProcessMapper!

Here is a sample of the processes running on my Windows 8 machine for the past 2 hours:
Sysmonmap of Time Period

This shows tons of interesting information about the boot process. One thing I have noticed is that Google Chrome is noisy.

Also just for kicks I coded an example of the same thing using the native Security log:

To use this make sure Process Creation auditing is enabled. This has been turned on in every environment I have ever worked in but if you are following along at home, here are some fun articles to consider:

Or go here and turn it on:

Then you can see logs like this:


********Update Code can be found on the GitHub *********

Then use some PowerShell to whip up the same Google Org chart from the last post.

Then you can look at things like this:processmap

Not as sexy as sysmon but this script can be used in most environments without the need to install anything.
Also this PowerShell Script could be pointed at a recovered security log, perhaps from a disk image, instead of a live system.

$events = Get-WinEvent -FilterHashtable @{Logname='Security';Id=4688}|Where-Object { ( $_.TimeCreated -gt $StartDate -and $_.TimeCreated -le $StopDate)}|Sort-Object TimeCreated
To this:
$events = Get-WinEvent -path "c:\pathtosecurity.evtx" -FilterHashtable @{Logname='Security';Id=4688}|Where-Object { ( $_.TimeCreated -gt $StartDate -and $_.TimeCreated -le $StopDate)}|Sort-Object TimeCreated