“[Sysmon3] … reports remote thread creation events…” Allowing one to log code injection? Awesome. http://blogs.technet.com/b/sysinternals/archive/2015/04/21/update-sysmon-v3-0-autornus-v13-3-regjump-v1-1-process-monitor-v3-11.aspx