Eric Conrad

Author, SANS Faculty Fellow, and CTO of Backshore Communications

Monday, April 01, 2024

Detecting Command and Control frameworks via Sysmon and Windows Event Logging

My talk: https://github.com/eric-conrad/c2-talk/

Team Cymru - S2 Threat Research Team: Top C2 Frameworks
My previous C2 detection talk: Leave Only Footprints: When Prevention Fails
EVTX files from Leave Only Footprints: When Prevention Fails
Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Impacket: https://github.com/fortra/impacket
wmiexec,py: https://github.com/fortra/impacket/blob/master/examples/wmiexec.py
Imphash: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing

Posted by Eric Conrad at 11:32 AM

No comments:

Newer Post Older Post Home

Subscribe to: Post Comments (Atom)

About Me

Eric Conrad: Peaks Island, ME, United States; CTO, Backshore Communications

I am a SANS Faculty Fellow, co-author of SANS Security 511, MGT 414, and Security 542.

I am GIAC GSE #13.

I am a graduate of the SANS Technology Institute, with a Master of Science in Information Security Engineering (MSISE)

My Amazon author page

Email me: blogger7@backshore.net

Mastodon: conrad@infosec.exchange

View my complete profile

My videos and podcasts

Cyber Security Interviews - You need to be interested beyond 9-5
DerbyCon 2017: Introducing DeepBlueCLI v2 now available in PowerShell and Python
Paul's Security Weekly #519
How to become a SANS instructor
DerbyCon 2016: Introducing DeepBlueCLI a PowerShell module for hunt teaming via Windows event logs
Security Onion Con 2016: C2 Phone Home
Long tail analysis

CISSP® Study Guide

CISSP® Study Guide, 3rd Edition

Twitter

Follow @eric_conrad

LinkedIn

My Books

CISSP Study Guide 3E
Eleventh Hour CISSP 2E

Join My Lists

CISSP
Sec511 Alumni

Upcoming Conferences

http://www.sans.org/instructors/eric-conrad

My Infosec Papers and Links

Waking Sleeping Dogs: Information Security Ethics
MGT 414 Images
CISSP Study Guide Errata

SANS GIAC Certifications and Gold Research

My SANS GIAC certifications
Detecting Spam with Genetic Regular Expressions
A Heap o’ Trouble / Heap-based flag insertion buffer overflow in CVS

Blog Archive

▼ 2024 (2)
- ▼ April (2)
  - Building Containment Fields: How to Secure Containers
  - Detecting Command and Control frameworks via Sysmo...

► 2023 (3)
- ► June (2)
- ► January (1)

► 2022 (1)
- ► April (1)

► 2020 (5)
- ► August (1)
- ► June (2)
- ► May (1)
- ► January (1)

► 2019 (3)
- ► November (1)
- ► May (1)
- ► April (1)

► 2018 (4)
- ► December (2)
- ► April (2)

► 2017 (2)
- ► September (1)
- ► April (1)

► 2016 (5)
- ► October (1)
- ► September (2)
- ► August (1)
- ► April (1)

► 2015 (4)
- ► December (1)
- ► November (1)
- ► April (1)
- ► January (1)

► 2014 (1)
- ► March (1)

► 2013 (3)
- ► June (1)
- ► May (2)

► 2012 (6)
- ► September (1)
- ► July (2)
- ► May (1)
- ► March (1)
- ► February (1)

► 2010 (5)
- ► September (1)
- ► August (1)
- ► July (1)
- ► May (1)
- ► March (1)

► 2009 (9)
- ► November (2)
- ► August (1)
- ► June (1)
- ► April (1)
- ► March (4)

► 2008 (13)
- ► December (3)
- ► November (1)
- ► October (3)
- ► August (1)
- ► July (1)
- ► April (1)
- ► March (2)
- ► February (1)

► 2007 (21)
- ► December (1)
- ► November (1)
- ► October (3)
- ► September (2)
- ► July (2)
- ► June (4)
- ► April (3)
- ► March (3)
- ► February (2)

Network/Security Blogs

SANS Technology Institute: Security Laboratory
The Internet Storm Center
F-Secure's Security Blog

Awesome Inc. theme. Powered by Blogger.