https://github.com/MHaggis/sysmon-dfir
As of September 2017, v6.1 supports monitoring WMI subscribers.
https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-...
Unfortunately I can no longer point to a canonical "best practices" configuration as the original has been neglected; however it may serve as a starting point: https://github.com/SwiftOnSecurity/sysmon-config
https://github.com/MHaggis/sysmon-dfir
As of September 2017, v6.1 supports monitoring WMI subscribers.
https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-...
Unfortunately I can no longer point to a canonical "best practices" configuration as the original has been neglected; however it may serve as a starting point: https://github.com/SwiftOnSecurity/sysmon-config