Supercharge Your SOC with Sysmon

Learn how to enhance your Security Operations Center (SOC) using Sysmon in this conference talk from BSidesPhilly 2017. Explore endpoint visibility, Sysmon configuration, log transportation, and SIEM integration. Discover techniques for detecting various malicious activities, including Word macro payloads, PowerShell execution, physical attacks, lateral movement, and credential dumping. Gain insights into investigation methods using PowerShell and Excel, and learn about advanced analytics with Spoor. Get practical advice on implementing Sysmon to improve your organization's security posture.

Syllabus

Intro
What's happening on our endpoints?
Sysmon Visibility
Getting Started with Sysmon
Swift vs. SIG Sysmon Config
Transporting Logs with WEC
SIEM Integration
What kinds of badness can we detect?
Malicious Microsoft Word Macro Payload
Malicious PowerShell Execution
Rubber Ducky and Mouse Jacking Attacks
Sticky Keys Attack
Lateral Movement with WMI
Lateral Movement with PsExec
Lateral Movement with Sneaky PsExec
Dumping Credentials from Memory
Investigation with PowerShell & Excel
Malspam with Word Macro
Malspam SIEM Alert
Getting Sysmon Events via PowerShell
Adding Sysmon Fields to Events Properties
Interacting with Excel via PowerShell
Advanced Analytics with Spoor
How can you get started with Sysmon?