filmov
tv
Learning Sysmon - Tracking When Drivers Are Loaded (Video 9)
Показать описание
In this video, Research Team Lead Carlos Perez provides methods and recommendations for setting up a baseline in order to get the best value from this event type. He also demonstrates the collection using drivers that are currently being leveraged by an attacker.
Windows Driver Block List:
Sysmon Modular:
Sysmon Community Guide:
Olaf Sysmon Modular video
PSGumshoe PowerShell Module
Sysmon Visual Studio Code Extension
00:00:00 Intro
00:01:19 Building a Baseline
00:01:35 Baseline Configuration Demo
00:04:13 Creating a Rule Set from baseline
00:07:05 Testing with Mimikatz
00:08:28 Test Revoked Driver
00:09:42 WDAC Driver Block Rules
00:10:24 Testing with Vulnerable Driver
00:11:40 Summary
Windows Driver Block List:
Sysmon Modular:
Sysmon Community Guide:
Olaf Sysmon Modular video
PSGumshoe PowerShell Module
Sysmon Visual Studio Code Extension
00:00:00 Intro
00:01:19 Building a Baseline
00:01:35 Baseline Configuration Demo
00:04:13 Creating a Rule Set from baseline
00:07:05 Testing with Mimikatz
00:08:28 Test Revoked Driver
00:09:42 WDAC Driver Block Rules
00:10:24 Testing with Vulnerable Driver
00:11:40 Summary
0:13:29
0:08:22
0:13:32
0:18:01
0:04:30
0:09:11
0:05:56
0:07:22
0:11:29
0:13:24
0:17:56
0:11:45
0:18:25
0:12:06
0:09:37
0:11:00
0:03:31
0:04:56
0:28:07
0:14:35
0:08:39
0:13:50
0:07:41
0:17:28