Sysmon now runs as a kernel driver ( SysmonDrv.sys ) and logs events to .
Elias realized with a jolt that the "sysm_monitor" wasn't monitoring the system. It was monitoring