Awesome DFIR - Digital Forensics & Incident Response
🌟

Sysmon DFIR

Endpoint detection Superpowers on the cheap - part 1

In this blog series, I will talk about my endpoint detection stack focused on Windows environments and mostly based on Sysmon. I feel I need to fire some form of disclaimer; This series of posts are not a silver bullet. It will require tuning and real work to be truly effective in your environment.

medium.com

Endpoint detection Superpowers on the cheap - part 1
Universally Evading Sysmon and ETW

The source code and latest release are both available. Sysmon and windows event log are both extremely powerful tools in a defender's arsenal. Their very flexible configurations give them a great insight into the activity on endpoints, making the process of detecting attackers a lot easier. It's for this reason

blog.dylan.codes

Universally Evading Sysmon and ETW
  • SysmonSearch make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon.
  • JPCERTCC/SysmonSearch

    SysmonSearch make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon. SysmonSearch uses Elasticserach and Kibana (and Kibana plugin). Elasticserach Elasticsearch collects/stores Sysmon's event log. Kibana Kibana provides user interface for your Sysmon's event log analysis. The following functions are implemented as Kibana plugin.

    github.com

    JPCERTCC/SysmonSearch