Thursday, April 20, 2023

Atlantic Security Conference 2023 - Threat Hunting via Sysmon 14

Atlantic Security Conference 2023 - Threat Hunting via Sysmon 14


Links to resources mentioned in my talk:

Commands to analyze the Sysmon events I discussed (download this EVTX file and run the exact same PowerShell commands on your Windows system):
  • Any command referencing ADMIN$:
    • Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
  • Any command referencing both cmd.exe and wmiprvse.exe:
    • Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=1} | Where {$_.Message -like "*cmd.exe*" –and $_.Message -like "*wmiprvse*"} | fl
  • File Block Executable (blocked EXE upload): 
    •  Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=27} | fl
  • Create Remote Thread (Hashdump and process migration): 
    • Get-WinEvent @{Path="sysmon-atlseccon.evtx";id=8} | fl


No comments: