PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis

preview_player
Показать описание

00:00 - Intro
00:36 - Talking about PowerSIEM
01:40 - Installing Sysmon with Florian Roth's default config
03:30 - Showing what PowerSIEM does by running it and opening a command prompt, browser, etc
04:50 - Explaining the PowerSIEM Script, how it works, and all the current sysmon events
07:50 - Setting breakpoints in Powershell ISE
08:48 - Adding data to the Registry Set event
11:58 - Showing just running a SysInternals tool creates a registry key for accepting the EULA
13:45 - Running Impackets PSEXEC, to find out Defender stopps it. Running Sysinternals Version and showing defender allows it.
14:50 - Using PowerSIEM to show how the Sysinternals PSEXEC works.
15:50 - Disabling AV, Running impacket's version again to show how it differs
17:35 - Creating a Cobalt Strike Beacon and showing some alerts
18:25 - Hiding network connection alerts in PowerSIEM by just commenting out the Write Alert line
20:00 - Running a shell command in CobaltStrike and showing what it looks like in PowerSIEM
21:00 - Running Mimikatz and talking about its sacrificial process, pipes, and mimikatz accessing LSASS
24:05 - Showing not everything will be logged
  1. IppSec
Рекомендации по теме
PowerSIEM - Analyzing 0:25:03

PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis

Using Sysmon to 0:04:56

Using Sysmon to analyze a malware sample

What's Up With 0:18:25

What's Up With Sysmon and the Windows Event Viewer?

Threat Hunting using 0:13:42

Threat Hunting using Sysmon | Identify malicious or anomalous activity

Windows Event Logs 0:22:15

Windows Event Logs and Sysmon Investigation | CTF Walkthrough

Windows SYSMON | 0:58:21

Windows SYSMON | SANS ICS Concepts

Sysmon Guides: Monitoring 0:08:39

Sysmon Guides: Monitoring Sysmon

Sysinternals: System Monitor 0:23:00

Sysinternals: System Monitor deep dive (demo) | Sysmon, device, driver, Windows | Microsoft

Threat Hunting with 0:50:40

Threat Hunting with Sysmon For Security Operations Center | TryHackMe Sysmon

Evading Sysmon DNS 0:00:35

Evading Sysmon DNS Monitoring

Level-up your host-based 0:12:06

Level-up your host-based monitoring with Sysmon

Subverting Sysmon 0:50:00

Subverting Sysmon

Introduction to Sysmon 0:14:21

Introduction to Sysmon with Olaf Hartong - Detecting SCYTHE ransomware campaign #ThreatThursday

Finding a Metasploit 0:32:59

Finding a Metasploit HTA backdoor - Blue Team Labs - Sysmon Challenge

Sysmon For Beginners 1:27:05

Sysmon For Beginners | TryHackMe Cyber Defense Lab

SysPM2Monitor2_7 & Remote 0:09:04

SysPM2Monitor2_7 & Remote Thread Injection / Process Injection Detection by Sysmon + ETW

Sysmon FileBlockExecutable POC 0:00:24

Sysmon FileBlockExecutable POC

What is sysmon? 0:11:55

What is sysmon? How to use it.

Learning Sysmon - 0:11:45

Learning Sysmon - What is Sysmon? (Video 1)

Learning Sysmon - 0:13:24

Learning Sysmon - Tracking and Blocking File Creation (Video 16)

Window's Logs on 0:23:13

Window's Logs on Steroids! SYSMON - Let's Deploy a Host Intrusion Detection System #10

Graylog and Sysmon 0:03:03

Graylog and Sysmon

How to Write 0:10:39

How to Write Sysmon Rules: Getting Fancy(Bear) With Sysmon to Find APT Level Cyber Security Threats

Analyzing Compressed PowerShell 0:05:57

Analyzing Compressed PowerShell Scripts

Комментарии
Автор

Thank you so much IppSec for such short and informative videos. These videos motivate us to try out these stuff on local VM. Btw watched twitch stream as well.. :)

saurabhshinde
Автор

Great content! Nice to see you share stuff on mixed subjects

mindtropy
Автор

That's pretty funny. We had just yesterday an IR case with Cobalt Strike DNS Beacon. Thanks for sharing this!

-Giuseppe
Автор

Hey, love the content on defensive security! Your twitch stream on sysmon was awesome. Unfortunately, I don't get to watch live as I'm swamped with homework. But I truly appreciate the videos on defensive security, it helps in many different important if not more important ways then offensive!

sechvnnull
Автор

Thank you so much Ippsec, don't have enough words to thank you for these informative videos!🙏🙏

blabla-grtj
Автор

Thanks for this I'll try to integrate this with my Opensource NSM

beyblade
Автор

hii ippsec love the u have twitch, about the time i use to see that all the time, just sad that not on my UTC when im free on Israel, ur smart and love to see ur explane on some things.
hope to be some day like you, for now im n00b.

guyashkenazi
Автор

Finally! Ipp starts to brach off from htb!🎉

wkppp
Автор

I hope you make more BLUE team content. Thanks

skywlker
Автор

How many programming do I need to learn to became full cybersecurity professional or to reach the level your

maclie
Автор

Thank you so much for sharing. It would be great if you could do more blue team videos.

mzynehtb
Автор

great stuff! it it was to go into a SIEM like Splunk I think it would be good to add timestamps to each event as otherwise it would be indexed with the index/current time rather than the actual event time

takeshikovacs
Автор

I stumbled a bit on the powershell execution scope.
Pay attention to the execute permission.

pensee
Автор

Hey mate love your content please never stop! Could you possibly link your git project, and Florian's in the description?

domnovoi
Автор

Brilliant work is it possible to capture the results as csv?

cookiemaster