In today's cyber threat landscape, investigators and incident responders are often outmatched against their adversaries due to a lack of endpoint visibility. This deficiency leads to false negatives leaving defenders and organizations at the mercy of attackers. To solve this problem, Endpoint Detection & Response (EDR) tools were created to provide endpoint visibility and arm defenders against their attackers (CrowdStrike, 2019). While these tools are a difference-maker for defenders, the cost of commercial offerings can put them out of reach for many organizations (Infocyte, 2020). Microsoft Sysinternals Sysmon, a free EDR tool, collects detailed information about system activity, including process creations, network connections, file creations, and much more (Russinovich, M. & Garnier, T., 2020). This paper examines the effectiveness of Sysmon as a free EDR tool in providing sufficient visibility into Windows endpoint activity to detect and forensicate attacker techniques such as those listed in MITRE's ATT&CK knowledge base.