Level-up your host-based monitoring with Sysmon

Рет қаралды 6,051

Күн бұрын

In this video we’ll be exploring the power of Sysmon to investigate malware and track the actions of an attacker. We’ll look at how to install it on both a single machine, and automate deployments via GPO. Finally, a discussion on the importance of taking the time to define an appropriate XML configuration file.
References:
Sysmon download link: docs.microsoft.com/en-us/sysi...
SwiftOnSecurity starter policy download link: github.com/SwiftOnSecurity/sy...
Previous video on configuring Winlogbeat: • Collecting & analysing...
Batch file to install/update Sysmon via GPO: github.com/rot169/AttackDetec...
Modular Sysmon by Olaf Hartong: github.com/olafhartong/sysmon...
Timecodes:
0:00 Introduction
1:23 Investigating an attack with Sysmon
6:21 Installing Sysmon manually
8:08 Automating Sysmon deployment via GPO
9:03 Sysmon configuration
Credits:
Intro/Outro Music: Render - Prism: • Render - Prism [Creati... (via Argofox: / argofox )
Diagram icons designed by OpenMoji (openmoji.org/) CC BY-SA 4.0

Пікірлер: 18

@topleads9748 8 ай бұрын

Bro, Never give up making these videos....I been doing Cyber sec for almost 2 years got security+ and Google cert...and your videos got more meat that all those certs...Thanks a lot...

@n.w.aicecube5713 Жыл бұрын

Love this channel found 5 years ago and love the content simple informative and well explained. Thanks

@Manavetri Жыл бұрын

I love your content, very good, you explain the topics better than most of the teachers I've had. I would like to see more sysmon content

@muhammadhassoub299 11 ай бұрын

Thanks for the great video ❤

@anemic66 Жыл бұрын

Great video, Thanks!

@DSEC_UK 2 жыл бұрын

NICE ONE BUD

@BharatPatel-ny5nh 2 жыл бұрын

Hello! Nice animation 👌

@chaminda512 2 жыл бұрын

❤

@habibsellah6849 Жыл бұрын

Hi Andy, I need to know how I can get SysmonSimulator.exe to simulate attacks with different events. Thanks !

@_amintrouble 2 жыл бұрын

Hi, thanks for this video. I know this is about sysmon but I'm confused as to what tool you're using as the interface looks different from what I've seen.

@_amintrouble 2 жыл бұрын

Looks like elastic. Is this a threat hunting tool? Does it also require agents on endpoints?

@rot169 2 жыл бұрын

Hi Amin, yes the UI here is based on an ELK stack, which comes as part of the Security Onion distro. See this video for an intro: kzbin.info/www/bejne/q5O0qYqLeNmtptk And the integration between Windows clients and Security Onion can be established in a few different ways, but I used the Winlogbeat agent. Further detials here: kzbin.info/www/bejne/aWrMh6idl56MZsU I hope this helps :-)

@_amintrouble 2 жыл бұрын

@@rot169 Thanks for the response, will have a look.

@r.e.434 2 жыл бұрын

and can you do a video about your lab setup?

@rot169 2 жыл бұрын

Absolutely... I have one in the works! :-)

@r.e.434 2 жыл бұрын

Is sysmon a replacement for EDR ?

@rot169 2 жыл бұрын

Sysmon can give you detailed host visibility, but it falls way short of an EDR tool. You need to roll your own rules for detection, and it has no response capability at all. Sysmon still has a lot of value - just not as an EDR :)

@rot169 2 жыл бұрын

And here's a far more complete explanation from Olaf Hartong: medium.com/falconforce/sysmon-vs-microsoft-defender-for-endpoint-mde-internals-0x01-1e5663b10347