Atlantic Security Conference 2023 - Threat Hunting via Sysmon 14
Links to resources mentioned in my talk:
- Here's a link to my talk
- Here are the Sysmon event logs I showed
- Download Sysmon
- TrustedSec Sysmon Community Guide
- Florian Roth's (Neo23x0) Sysmon Config
- SwiftOnSecurity's sysmon-config
- Tracking Malware with Import Hashing
- Impacket and wmiexec.py
- Hydra
- Metasploit
- Enabling logging of failed logons on Windows
Commands to analyze the Sysmon events I discussed (download this EVTX file and run the exact same PowerShell commands on your Windows system):
- Any command referencing ADMIN$:
- Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
- Any command referencing both cmd.exe and wmiprvse.exe:
- Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=1} | Where {$_.Message -like "*cmd.exe*" –and $_.Message -like "*wmiprvse*"} | fl
- File Block Executable (blocked EXE upload):
- Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=27} | fl
- Create Remote Thread (Hashdump and process migration):
- Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=8} | fl