@DebugPrivilege API monitor for lazy ones 😉

@MalFuzzer Gotta make exciting for yourself ;-)

@DebugPrivilege Have you tried dtrace?

@DebugPrivilege Can still make those like :)

@DebugPrivilege ProcMon + Wireshark are a powerful duo.

@DebugPrivilege They (generally) don’t lie, they just don’t realize certain bits of info are critically important. Like when the thing we’ve been troubleshooting for months doesn’t repro if they update to the latest version of a particular 3rd party client app or filter driver.

@DebugPrivilege Microsoft Network Monitor (RPC), Wireshark, procmon process hacker Ghidra, VSCode

@DebugPrivilege Network miner 🤷‍♂️

@DebugPrivilege sure, they all good but what we realle need is syscall logging like this:

@DebugPrivilege The Trinity: Zeek/Bro (network) Sysmon (host) Splunk (collection & analysis)