Threat Hunting via Sysmon - SANS Blue Team Summit

Подписаться 58 тыс.

Просмотров 60 тыс.

50% 1

Speaker: Eric Conrad, CTO, Backshore Communications; Senior Instructor, Co-Author SEC511 and SEC542, Author MGT514, SANS Institute
Windows Sysinternal's Sysmon offers a wealth of information regarding processes running in a Windows environment (including malware). This talk will focus on leveraging Sysmon logs to to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, especially after enabling Sysmon logs.
Sysmon includes advanced capabilities, including logging the import hash (imphash) of each process, which fingerprints the names and order of DLLs loaded by a portable executable. This provides an excellent way of tracking families of related malware.
We will also discuss updates to DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of imphashes, EXE, DLL and driver hashes via a free Virustotal Community API key.
SANS Summit schedule: www.sans.org/u/DuS
The Blue Team Summit features presentations and panel discussions covering actionable techniques, new tools, and innovative methods that help cyber defenders improve their ability to prevent and detect attacks.

Опубликовано:

21 июл 2019

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 23

@izaak791 3 года назад

The man knows his stuff ! His book written for CISSP speaks for itself but hearing him live is wow! Elect for Eric Conrad for President

@tpai302 3 года назад

Better than the current choices...

@chozen_juan 2 года назад

An amazing talk covering a large range of topics. He really shouldn't call it a sysmon talk though. There is very little info on sysmon here lol

@bryanmccaffrey4385 Год назад

Hi back, homey. That was hilarious. Going to look for you in my SIEM, EDR and TIP now...

@krithikapadmavathy7052 3 года назад

Thank you Eric, this was super helpful

@fatihciroglu654 3 года назад

Thank you so much Eric.

@MrJITBAHAN 4 года назад

Awesome!!!

@andylockhart257 5 лет назад

Awesome stuff

@michaelrogers2011 4 года назад

Eric is the best!

@jerryxie777 3 года назад

Great video,renew some of my conception even 1 year later. thank you

@RM-gm7lu 3 года назад

Really good insights. The fact that it a couple years old is quite humbling

@halozidia Год назад

Great stuff!

@dtonomy8635 3 года назад

cool!

@_nithin15 5 лет назад

Where can I get those slides?

@treytrey6011 3 года назад

@@sentinalprime8838 Maybe think about editing your post as it 404's. Thanks.

@treytrey6011 3 года назад

@@StaticChevalier2 Hey Rob, your link is dead as well.

@StaticChevalier2 3 года назад

@@treytrey6011 Just tried it. It looks like it expired, but following the main link and searching for "Blue Team Summit & Training 2019 (April 2019)" Should take you to it. I found it again, but it required me to log in to my SANS account.

@StaticChevalier2 3 года назад

@@treytrey6011 If you still have issues viewing it, I have the pdf downloaded that I can share.

@manfrombritain6816 2 года назад

"they want SOCs full of 22 year olds" RIP me, trying to pivot from coding into cyber at 31

@kylegustafson6087 2 года назад

There are more than just SOC jobs available in cyber. I moved from System Administration to cyber at 32. Plus you have all that coding experience that 22 year olds don't. Trust me, there is a major need for professionals as it releates to securing code as that is where many issues crop up. You are far more valuable than sitting in a SOC following playbooks written by others.

@logenninefingers9332 2 года назад

Where did you hear that about the 22 year olds? I moved from a lab tech to help desk at 38, then 3 years later I was able to luck into an Information System Security Officer position. Now in my very late 50's, I still read lots, and watch these videos, and now I am getting into Cloud. It is all about being driven, hit is hard my friend and good luck.