filmov
tv
PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis
Показать описание
00:00 - Intro
00:36 - Talking about PowerSIEM
01:40 - Installing Sysmon with Florian Roth's default config
03:30 - Showing what PowerSIEM does by running it and opening a command prompt, browser, etc
04:50 - Explaining the PowerSIEM Script, how it works, and all the current sysmon events
07:50 - Setting breakpoints in Powershell ISE
08:48 - Adding data to the Registry Set event
11:58 - Showing just running a SysInternals tool creates a registry key for accepting the EULA
13:45 - Running Impackets PSEXEC, to find out Defender stopps it. Running Sysinternals Version and showing defender allows it.
14:50 - Using PowerSIEM to show how the Sysinternals PSEXEC works.
15:50 - Disabling AV, Running impacket's version again to show how it differs
17:35 - Creating a Cobalt Strike Beacon and showing some alerts
18:25 - Hiding network connection alerts in PowerSIEM by just commenting out the Write Alert line
20:00 - Running a shell command in CobaltStrike and showing what it looks like in PowerSIEM
21:00 - Running Mimikatz and talking about its sacrificial process, pipes, and mimikatz accessing LSASS
24:05 - Showing not everything will be logged
Комментарии