Threat Hunting via Sysmon - SANS Blue Team Summit

Рет қаралды 63,138

Күн бұрын

Speaker: Eric Conrad, CTO, Backshore Communications; Senior Instructor, Co-Author SEC511 and SEC542, Author MGT514, SANS Institute
Windows Sysinternal's Sysmon offers a wealth of information regarding processes running in a Windows environment (including malware). This talk will focus on leveraging Sysmon logs to to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, especially after enabling Sysmon logs.
Sysmon includes advanced capabilities, including logging the import hash (imphash) of each process, which fingerprints the names and order of DLLs loaded by a portable executable. This provides an excellent way of tracking families of related malware.
We will also discuss updates to DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of imphashes, EXE, DLL and driver hashes via a free Virustotal Community API key.
SANS Summit schedule: www.sans.org/u/DuS
The Blue Team Summit features presentations and panel discussions covering actionable techniques, new tools, and innovative methods that help cyber defenders improve their ability to prevent and detect attacks.

Пікірлер: 23

@izaak791 4 жыл бұрын

The man knows his stuff ! His book written for CISSP speaks for itself but hearing him live is wow! Elect for Eric Conrad for President

@tpai302 4 жыл бұрын

Better than the current choices...

@chozen_juan 2 жыл бұрын

An amazing talk covering a large range of topics. He really shouldn't call it a sysmon talk though. There is very little info on sysmon here lol

@bryanmccaffrey4385 2 жыл бұрын

Hi back, homey. That was hilarious. Going to look for you in my SIEM, EDR and TIP now...

@krithikapadmavathy7052 3 жыл бұрын

Thank you Eric, this was super helpful

@fatihciroglu654 3 жыл бұрын

Thank you so much Eric.

@michaelrogers2011 4 жыл бұрын

Eric is the best!

@jerryxie777 4 жыл бұрын

Great video,renew some of my conception even 1 year later. thank you

@RM-gm7lu 3 жыл бұрын

Really good insights. The fact that it a couple years old is quite humbling

@MrJITBAHAN 5 жыл бұрын

Awesome!!!

@halozidia 2 жыл бұрын

Great stuff!

@andylockhart257 5 жыл бұрын

Awesome stuff

@dtonomy8635 3 жыл бұрын

cool!

@_nithin15 5 жыл бұрын

Where can I get those slides?

@treytrey6011 4 жыл бұрын

@@sentinalprime8838 Maybe think about editing your post as it 404's. Thanks.

@treytrey6011 4 жыл бұрын

@@StaticChevalier2 Hey Rob, your link is dead as well.

@StaticChevalier2 4 жыл бұрын

@@treytrey6011 Just tried it. It looks like it expired, but following the main link and searching for "Blue Team Summit & Training 2019 (April 2019)" Should take you to it. I found it again, but it required me to log in to my SANS account.

@StaticChevalier2 4 жыл бұрын

@@treytrey6011 If you still have issues viewing it, I have the pdf downloaded that I can share.

@fatlip8315 7 ай бұрын

Threat Vectors

@manfrombritain6816 3 жыл бұрын

"they want SOCs full of 22 year olds" RIP me, trying to pivot from coding into cyber at 31

@kylegustafson6087 3 жыл бұрын

There are more than just SOC jobs available in cyber. I moved from System Administration to cyber at 32. Plus you have all that coding experience that 22 year olds don't. Trust me, there is a major need for professionals as it releates to securing code as that is where many issues crop up. You are far more valuable than sitting in a SOC following playbooks written by others.

@logenninefingers9332 2 жыл бұрын

Where did you hear that about the 22 year olds? I moved from a lab tech to help desk at 38, then 3 years later I was able to luck into an Information System Security Officer position. Now in my very late 50's, I still read lots, and watch these videos, and now I am getting into Cloud. It is all about being driven, hit is hard my friend and good luck.

@ram_bam Жыл бұрын

I'm 36 and doing the same!