Threat Hunting via Sysmon - SANS Blue Team Summit
ฝัง
- เผยแพร่เมื่อ 21 ก.ค. 2019
- Speaker: Eric Conrad, CTO, Backshore Communications; Senior Instructor, Co-Author SEC511 and SEC542, Author MGT514, SANS Institute
Windows Sysinternal's Sysmon offers a wealth of information regarding processes running in a Windows environment (including malware). This talk will focus on leveraging Sysmon logs to to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, especially after enabling Sysmon logs.
Sysmon includes advanced capabilities, including logging the import hash (imphash) of each process, which fingerprints the names and order of DLLs loaded by a portable executable. This provides an excellent way of tracking families of related malware.
We will also discuss updates to DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of imphashes, EXE, DLL and driver hashes via a free Virustotal Community API key.
SANS Summit schedule: www.sans.org/u/DuS
The Blue Team Summit features presentations and panel discussions covering actionable techniques, new tools, and innovative methods that help cyber defenders improve their ability to prevent and detect attacks.
The man knows his stuff ! His book written for CISSP speaks for itself but hearing him live is wow! Elect for Eric Conrad for President
Better than the current choices...
An amazing talk covering a large range of topics. He really shouldn't call it a sysmon talk though. There is very little info on sysmon here lol
Thank you Eric, this was super helpful
Thank you so much Eric.
Hi back, homey. That was hilarious. Going to look for you in my SIEM, EDR and TIP now...
Awesome!!!
Great video,renew some of my conception even 1 year later. thank you
Really good insights. The fact that it a couple years old is quite humbling
Awesome stuff
Eric is the best!
Great stuff!
cool!
Where can I get those slides?
@@sentinalprime8838 Maybe think about editing your post as it 404's. Thanks.
@@StaticChevalier2 Hey Rob, your link is dead as well.
@@treytrey6011 Just tried it. It looks like it expired, but following the main link and searching for "Blue Team Summit & Training 2019 (April 2019)" Should take you to it. I found it again, but it required me to log in to my SANS account.
@@treytrey6011 If you still have issues viewing it, I have the pdf downloaded that I can share.
Threat Vectors
"they want SOCs full of 22 year olds"
RIP me, trying to pivot from coding into cyber at 31
There are more than just SOC jobs available in cyber. I moved from System Administration to cyber at 32. Plus you have all that coding experience that 22 year olds don't. Trust me, there is a major need for professionals as it releates to securing code as that is where many issues crop up. You are far more valuable than sitting in a SOC following playbooks written by others.
Where did you hear that about the 22 year olds? I moved from a lab tech to help desk at 38, then 3 years later I was able to luck into an Information System Security Officer position. Now in my very late 50's, I still read lots, and watch these videos, and now I am getting into Cloud. It is all about being driven, hit is hard my friend and good luck.
I'm 36 and doing the same!