Atlantic Security Conference 2023 - Threat Hunting via Sysmon 14

Atlantic Security Conference 2023 - Threat Hunting via Sysmon 14

Links to resources mentioned in my talk:

• Here's a link to my talk
• Here are the Sysmon event logs I showed
• Download Sysmon 
• TrustedSec Sysmon Community Guide
• Florian Roth's (Neo23x0) Sysmon Config
• SwiftOnSecurity's sysmon-config
• Tracking Malware with Import Hashing
• Impacket and wmiexec.py
• Hydra
• Metasploit
• Enabling logging of failed logons on Windows

Commands to analyze the Sysmon events I discussed (download this EVTX file and run the exact same PowerShell commands on your Windows system):

• Any command referencing ADMIN$:
• Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
• Any command referencing both cmd.exe and wmiprvse.exe:
• Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=1} | Where {$_.Message -like "*cmd.exe*" –and $_.Message -like "*wmiprvse*"} | fl
• File Block Executable (blocked EXE upload): 
•  Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=27} | fl
• Create Remote Thread (Hashdump and process migration): 
• Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=8} | fl

Blind Data Exfiltration Using DNS and Burp Collaborator

Here's a  copy of my slides  for my SANS webcast Blind Data Exfiltration Using DNS and Burp Collaborator:

Blind Data Exfiltration Using DNS and Burp Collaborator

Here are the links:

• Link to the webcast (this will link to the webcast archive afterward)
• DNS-Exfiltrate Github site
• DNS Query Length... Because Size Does Matter

 

Here's a list of links from my AtlSecCon 2022 talk Information Security for the Long Haul: Building a Career That Lasts. 

• Link to my talk
• Cliff Stoll makes Klein Bottles
• Cliff Stoll on Numberphile
• Stuck by Amy Reardon 
• $300 in Google Compute Credits
• Free Google Compute Training
• Free AWS Training
• Free Azure Training
• East Coast Infosec Podcast We All Have Our Masters Degree!" with Eric Conrad
• Toastmasters
• Sears-Halifax Toastmasters Club
• Schooner Toastmasters Halifax
• Creatively Speaking Toastmasters Halifax

Decrypt all the Things: How Encryption is Impacting Network-Based Security Controls

Here's a copy of my SANS @Mic webcast slides: Decrypt all the Things: How Encryption is Impacting Network-Based Security Controls 

Threat Hunting via DNS

My SANS @Mic talk Threat Hunting via DNS

Link to the Youtube video.

Here are the links:

• DNS New World Order: QuadX! DoH! DoT! Da Fuq?
• Paul Vixie on DoH
• Firefox continues push to bring DNS over HTTPS by default for US users
• Firefox to enable DNS-over-HTTPS by default to US users
• Firefox HTTP logging
• Tutorial to setup your own DNS-over-HTTPS (DoH) server
• DNS-over-HTTPS with Pi-Hole
• https://github.com/MarkBaggett/domain_stats
• https://www.arin.net/resources/registry/whois/rdap/

CISSP Cram Session

Here are the slides for my CISSP Cram Session webcast.



The webcast is available here: http://sans.org/u/140g

BSides Halifax

Here's a link to my BSides Halifax talk Threat Hunting via DNS