If you get a chance you may briefly look at old articles related to this topic as I will be briefly referencing them or quickly summarizing portions of my configuration…. [Continue Reading]
Category: Sysmon
Labeling endpoint actions with Logstash – Threat Hunting
There’s been plenty of instances where I have to go through an investigation after a user has clicked on a phishing email and find out what happened later. After performing… [Continue Reading]
Monitoring the monitor: Sysmon status
You’re probably reading this article because you understand how important Sysmon is to your environment. Without Sysmon, it’s difficult to log most endpoint actions unless you have advanced auditing turned… [Continue Reading]
Threat Hunting with Sysmon: Word Document with Macro
As I’ve stated before, Sysmon is a great tool for gaining insight of what’s running in our systems and what changes are occurring in our endpoints. With that being said,… [Continue Reading]
Detecting Outbound connections Pt. 3 – Microsoft IPs & Private IPs
At this point you’re still excited about logging any outbound connections made by your endpoints, specially knowing exactly “what” made those connections (.exe, .dlls, .tmp, etc..) because of Sysmon. Now… [Continue Reading]
Detecting Outbound connections Pt. 1 – Sysmon
I’ve been using Sysmon for quite some time now and it has made my life much easier when hunting for unknown processes or looking for outbound connections. My use case… [Continue Reading]
Sysmon: Getting started
I’ve been using Sysmon for about 2 years now and it’s one of my favorite Sysinternal tools. My use-cases include and are not limited to the following: Finding unknown &… [Continue Reading]
Advanced Sysmon filtering using Logstash
When I initially deployed Sysmon earlier last year I was amazed by the amount of details it gathered as well as the huge amount of logs that my ELK stack… [Continue Reading]
Deploying Sysmon through Group Policy (GPO) *Updated scroll down*
Here’s a way to deploy Sysmon to all of your domain endpoints using Group Policy. Step1: Create sysmon install batch file First create a batch file that will be placed… [Continue Reading]