Podcasts about sysmon

In this episode of the Azure Podcast, Sujit D'Mello and the team, including Cynthia, Evan, and Cale, are joined by special guest Mario Hewardt, an engineering manager on the Sysinternals team. Mario shares insights into the evolution of Sysinternals tools, their cross-platform journey, and their integration with Azure services. The discussion covers the development process, challenges faced, and the innovative features being added to these essential diagnostic tools. Tune in to learn about the latest updates and how Sysinternals continues to support both Windows and Linux environments.   Media file: https://azpodcast.blob.core.windows.net/episodes/Episode514.mp3 YouTube: https://youtu.be/6TAJfqnScuI   Resources: Sysinternals (/Windows) https://learn.microsoft.com/en-us/sysinternals/ https://learn.microsoft.com/en-us/answers/questions/ Email: syssite@microsoft.com ZoomIt is open source as part of PowerToys - https://github.com/microsoft/PowerToys   Sysinternals (/Linux) ProcDump for Linux - https://github.com/microsoft/ProcDump-for-Linux Procmon for Linux - https://github.com/microsoft/ProcMon-for-Linux Sysmon for Linux - https://github.com/microsoft/SysmonForLinux For help with Linux tools, please file issues/discussions on GitHub.   Social media Bluesky: @sysinternals  

Today Amanda Berlin from Blumira teaches us how to unlock the power of Sysmon so we can gain insight into the good, bad and ugly things happening on our corporate endpoints!  Key takeaways: Sysmon turns your windows logging up to 11, and pairs well with a config file like this one or this one. Careful if you are are running sysmon on non-SSD drives - the intense number of writes might bring that disk to its knees. Just getting started logging all the things with sysmon?  Why not pump those logs into a free logging/alerting system like Wazuh? I think it was SolarWinds log collector I was trying to think of while recording the show, not CloudTrail.

Sponsor by SEC Playground --- Support this podcast: https://podcasters.spotify.com/pod/show/chillchillsecurity/support

In this segment we welcome Carlos Perez back to the show! Carlos will discuss methods we can use to hide one systems and cover our tracks. We'll cover how on a system (as administrator) the blue team's struggle using default logs or even on a default install of Sysmon to detect an attacker. Attackers can selectively disable modern event log providers, take action and then re-enable. We will demo this and how to best monitor for this technique.   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-789 

Resources for this episode available at 505updates.com. From Edwin Kwan in Sydney, Australia: The JavaScript NPM registry has a manifest confusion vulnerability which can allow the installation and execution of malicious files without the user's knowledge. From Ian Garrett in Arlington, Virginia: Microsoft Sysmon just got a beefy upgrade. Sysmon is a free Microsoft Sysinternals tool that can monitor and block malicious or suspicious activity and log events to the Windows event log.From Katy Craig in San Diego, California: There's a new process injection technique that could give threat actors a way to bypass security solutions and wreak havoc on compromised systems. From Marcel Brown in St. Lous, Missouri: The iPhone turned out to be the computing device that we all wished we had, yet didn't know what we were missing until we had one. It has literally impacted nearly every aspect of our society, and it is no stretch to say that the iPhone has changed the world.From Sourced Network Production in New York city. "It's 5:05". I'm Pokie Huang. Today is Thursday, June 29th. Here's the full story behind today's cyber security and open source headlines...

In this segment we welcome Carlos Perez back to the show! Carlos will discuss methods we can use to hide one systems and cover our tracks. We'll cover how on a system (as administrator) the blue team's struggle using default logs or even on a default install of Sysmon to detect an attacker. Attackers can selectively disable modern event log providers, take action and then re-enable. We will demo this and how to best monitor for this technique.   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-789 

In this live stream, Cribl's Ed Bailey and CDW's Brenden Morgenthaler discuss a foundational issue with many security programs — having the right data to detect issues and make fast decisions. Data drives every facet of security, so bad or incomplete data weakens your overall program. Watch the video or continue reading below to learn about these issues and the strategies we use to solve security's data problem. As the amount of data, tools, systems, and clouds continue to increase, the threat to enterprises' security posture has risen as well. It simply doesn't matter what kind of SIEM you have anymore — even if it's as good as Splunk or its alternatives. If you don't have the right data, you'll run into problems. The Problem with Dropping Data Sources Due to Budget Constraints Budgets can no longer keep up with the amount of data that needs to be processed, so organizations are forced to get by without collecting and analyzing everything they should. As a result, security teams are forced to turn off data sources that could provide them valuable insights into credible threats. One client that Brenden and the team at CDW worked with got a firsthand look at the effects this has during a pen test they performed. They tested some common detections and were surprised to find that their red team engineer was able to completely compromise the domain and gain full control — simply because they had turned off all audit events on Kerberos. Situations like this are much too common and are just the tip of the iceberg —which is why it's so critical to have visibility into all areas of your network. You also need someone who knows all the different attack vectors so they can help you set up your infrastructure to avoid them. Poorly Formatted but Crucial Data Sources Eat Up Licensing Costs Data sources like Powershell, Sysmon, and Windows DNS debug logs are generally more difficult to work with. In the past, you'd have to rely on the heavy forwarder on the Splunk side or a ton of manual fine-tuning of things on the source side to handle the flood of data coming in from all these different systems and formats. This is where a tool like Cribl Stream can help — you can turn on a data source, send it to Stream, and then route to null by default. Then you can pull out specific streams and send them to your other tools as necessary. Other data won't need to be processed but will need to be kept for regulatory compliance issues, so you can keep it offline in raw, unmodified form in a data lake or send it to an object storage like an S3 bucket for as long as you need. Then if you need to recall it to investigate a data breach, you can use the replay feature in Stream to ingest it back through to whatever source you want without having to use your license or processing power. You can also use Cribl Stream to take advantage of EDR data. We see a lot of companies make enormous investments in EDR tools that also produce very accurate data, especially around assets — but then they don't take that data and put it into their SIEM because it's just too expensive. With Stream, you can take the majority of that EDR data and route it to a data lake, and then get value from the other 10-15% by routing it to your SIEM in the exact format you need it. Data Volume Management Strategies to Get the Best Results for Security To get the most value out of your data for security, you need to know what regulatory compliance you have to meet — what type of logs do you have to retain, and for how long? It also helps to have a good understanding of all the tools you have, what systems are in place, and what the limits are on your ingestion licenses. From there, securing your perimeter is the best place to start. You want your authentication sources, MFA sources, and VPN set up first, and then you can start bringing in all your security tools. The Mitre Attack framework is incredibly helpful to figure out what vertical you're in and see the common threat actors or attacks right you might encounter so you can decide which sources and services you'll need visibility from. Having had a long career in IT, I became used to constraints and compromise — which is why I was caught off guard when I first saw Cribl Stream back before I joined the company. Not having to make concessions on which data to pull in, where I could send it, what format it was in, or what my vendor would support was unexpected, to say the least. This choice and control is giving security teams the ability to have faster detections and even better responses to cyber threats. Be sure to watch the full conversation between Ed and Brenden, and connect with us in our Cribl Slack community if you have any questions or want to continue the discussion!  

Konfigurační soubory Floriana Rotha: https://github.com/Neo23x0/sysmon-config Sysmon 14.0: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon Janet Jackson had the power to crash laptop computers: https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994

This week Dr. Doug talks: Janet Jackson, Legit British hacking, CS.Go, PyPI, swiss voting, Vegas, Sysmon, and show wrap-ups on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn233

This week Dr. Doug talks: Janet Jackson, Legit British hacking, CS.Go, PyPI, swiss voting, Vegas, Sysmon, and show wrap-ups on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/swn233

This week Dr. Doug talks: Janet Jackson, Legit British hacking, CS.Go, PyPI, swiss voting, Vegas, Sysmon, and show wrap-ups on the Security Weekly News.   Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn233

Part 2 of our discussion this week with Amanda, Brian, and Bryan on sysmon, We discuss use cases from her talk, and best ways to get sysmon integrated into your environment.   BrakeSec is: Amanda Berlin @infosystir Brian Boettcher @boettcherpwned Bryan Brake @bryanbrake https://www.brakeingsecurity.com   Our #twitch stream can be found at: Https://twitch.tv/brakesec (subscription is req'd to see full videos)

This week Amanda, Brian, and Bryan discuss sysmon, how it works to detect IOCs in your org, and how it extends beyond regular Windows event monitoring.   oh... and it's available for Linux too! BrakeSec is: Amanda Berlin @infosystir Brian Boettcher @boettcherpwned Bryan Brake @bryanbrake https://www.brakeingsecurity.com   Our #twitch stream can be found at: Https://twitch.tv/brakesec (subscription is req'd to see full videos)

Wazuh! It works! Not only does it work, but it's awesome. We're also covering detection as part of a security program. You can't have good security without detection. We're also throwing in a bit of VMware management. Can't manage labs in VMware without some management know how. LINKS1. Wazuh · The Open Source Security Platform2. Lab Instructions - Emulation of ATT&CK techniques and detection with Wazuh3. Sysmon config from SwiftOnSecurity4. Wazuh Server Rules5. Video: Installing The EDR Solution WazuhFIND US ON1. Twitter - DamienHull2. YouTube

Sysmon's ReigstryEvent (Value Set) and Binary Data https://isc.sans.edu/forums/diary/Sysmons+RegistryEvent+Value+Set/28558/ Ukraine CERT Posts: IcedID and Zimbra Flaw https://cert.gov.ua/article/39606 https://cert.gov.ua/article/39609 New NSO Pegasus Exploit Spotted in the Wild https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/ Unofficial Windows 11 Upgrade Delivers Spyware https://www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/

Sysmon's ReigstryEvent (Value Set) and Binary Data https://isc.sans.edu/forums/diary/Sysmons+RegistryEvent+Value+Set/28558/ Ukraine CERT Posts: IcedID and Zimbra Flaw https://cert.gov.ua/article/39606 https://cert.gov.ua/article/39609 New NSO Pegasus Exploit Spotted in the Wild https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/ Unofficial Windows 11 Upgrade Delivers Spyware https://www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/

Time for more Wazuh and Sysmon. This time we're adding Atomic Red Team for testing. This is starting to look really good. Unfortunately we're missing something. LINKS1. Wazuh · The Open Source Security Platform2. Lab Instructions - Emulation of ATT&CK techniques and detection with Wazuh3. Sysmon config from SwiftOnSecurity4. Wazuh Server Rules5. Video: 163. Use Sysinternals Sysmon with Wazuh: The Swiss Army Knife for Windows MonitoringFIND US ON1. Twitter - DamienHull2. YouTube

We've packed a lot into one episode. We're reviewing Dorothy's lab, Wazuh & Sysmon and Microsoft 365. We do have some good news. Got Sysmon installed. We also have access to good Microsoft 365 instructions and a book. We're moving in the right direction. LINKS1. Sysmon Installation2. Microsoft 365 Business Premium Partner Playbook and Readiness Series3. Office 365 for IT Pros4. ITProMentor: The Microsoft 365 Consultant's BundleFIND US ON1. Twitter - DamienHull2. YouTube

Time to go deeper down the Sysmon rabbit hole. Looks like Wazuh does a lot more than we thought. LINKS1. Sysmon2. WazuhFIND US ON1. Twitter - DamienHull2. YouTube

Time to start thinking about our Sysmon deployment. There are a lot of moving parts to this project. It won't be a simple install on Windows 10. That's just a small part of the project. LINKS1. Security Onion2. Getting started with Elastic Stack3. Sysmon4. WazuhFIND US ON1. Twitter - DamienHull2. YouTube

Remote Desktop Protocol RDP Discovery https://isc.sans.edu/forums/diary/Remote+Desktop+Protocol+RDP+Discovery/27984/ Sysmon Update https://isc.sans.edu/forums/diary/Sysinternals+Autoruns+and+Sysmon+updates/27986/ Google Chrome Updates https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html AbstractEmu Malware Roots Android https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign Microsoft Defender For Endpoint Web Content Filtering https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/web-content-filtering-now-generally-available-on-windows/ba-p/2893357

Remote Desktop Protocol RDP Discovery https://isc.sans.edu/forums/diary/Remote+Desktop+Protocol+RDP+Discovery/27984/ Sysmon Update https://isc.sans.edu/forums/diary/Sysinternals+Autoruns+and+Sysmon+updates/27986/ Google Chrome Updates https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html AbstractEmu Malware Roots Android https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign Microsoft Defender For Endpoint Web Content Filtering https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/web-content-filtering-now-generally-available-on-windows/ba-p/2893357

Sysmon konfigurace: https://github.com/SwiftOnSecurity/sysmon-config VIDEO: Česká republika součástí 31 zemí se společnou strategií boje proti ransomwaru – SecurityCast Ep#80 - YouTube Česká republika byla jednou z 31 zemí, které se zúčastnili virtuální schůzky iniciativy Counter-Ransomware; Google vydal zprávu, která se podrobně zabývá více než 80 miliony vzorků ransomwaru; Ad-blocker co injektuje reklamy; Sysmon slaví 25 let a lze ho používat i s Linux a doporučení s ním spojená. Sledujte nás i na Twitteru @Jk0pr a @AlefSecurity.

Sponsor by SEC Playground แบบสอบถามเพื่อปรับปรุง Chill Chill Security Channel: https://forms.gle/e5K396JAox2rZFp19 Music by https://www.bensound.com/ --- Support this podcast: https://anchor.fm/chillchillsecurity/support

Hyundai desarrollará sus propios chips, con casinos, y... / IKEA explota en ventas online / Aviones regionales de hidrógeno / Las nórdicas lideran el 5G / Aerogeneradores negros / Sysmon para Linux Patrocinador: La mejor manera de conseguir nuevos clientes para tu empresa es de la mano de Informa D&B https://www.informa.es/, la empresa líder información sobre empresas y empresarios. El 89% de las empresas del Ibex 35 ya confían en ellos. Solicita dos informes gratis sin compromiso https://www.informa.es/ llamando al 902 176 076 http://tel/, o en informa.es https://www.informa.es/. Hyundai desarrollará sus propios chips, con casinos, y... / IKEA explota en ventas online / Aviones regionales de hidrógeno / Las nórdicas lideran el 5G / Aerogeneradores negros / Sysmon para Linux  Hyundai se cansa de la escasez de chip y dice que desarrollará los suyos propios. El gigante industrial coreano, uno de los pocos cuyas ventas están aumentando en medio de la crisis de componentes, quiere ser menos dependiente https://www.reuters.com/technology/hyundai-motor-says-it-wants-develop-chips-cut-reliance-chipmakers-2021-10-13/ de empresas externas para la parte informática de sus coches. — Supongo que optarán por ARM, e irán módulo a módulo.  El comercio electrónico ya supone el 22% de los ingresos de IKEA en España. Sorprendente cifra https://www.silicon.es/ventas-record-de-ikea-en-espana-gracias-al-canal-virtual-que-ya-supone-el-22-de-su-facturacion-2446583 de una empresa que tradicionalmente fue muy reacia a adoptar la venta directa desde su web, y que ha apostado siempre por sus tiendas físicas tan diferentes. — Curiosamente España es el tercer mayor mercado de IKEA a nivel mundial, tras EE.UU y Rusia.  Convirtiendo aviones de media distancia a motores de hidrógeno para 2025 es el plan de Universal Hydrogen, una startup de Los Ángeles que tiene acuerdos con las aerolíneas española Air Nostrum, Icelandair o Ravn Alaska, entre otras, para instalar unos kit de conversión https://archive.ph/NKFLz que permitan modificar un avión existente en uno de energía renovable.  Su secreto son unas bombonas gigantes https://hydrogen.aero/wp-content/uploads/2021/10/Regional-Aircraft3.jpg donde se almacenará el hidrógeno en vez de en depósitos continuados como los combustibles líquidos actuales.  EE.UU. prepara una ley para evitar el trato preferente de empresas tecnológicas a sus productos y servicios desde las plataformas de su propiedad https://archive.ph/zmTKz. De aprobarse afectaría a cómo se distribuye Apple Music frente a Spotify, Microsoft Edge frente a otros navegadores, Google enlazando a YouTube en sus resultados de búsqueda, etc.  Los fabricantes nórdicos están ganando la carrera del 5G. Ericsson y Nokia superan por primera vez a Huawei https://archive.ph/PuLl8 en cantidad de antenas de 5G a Huawei, con una cuota combinada de 30,4% del total global, frente al 28,8% de la firma china. Un ligero cambio de tendencia en una industria que se ha hiper-politizado.  En la otra parte de la señal, Apple lidera la venta de móviles con 5G https://twitter.com/mixx_io/status/1448239731591073793 a pesar de haber empezado hace un año.  Pintan las palas de los aerogeneradores de negro para disuadir a los pájaros. Aunque no son los primeros en hacerlo, Iberdrola ha empezado a lijar y pintar de negro una de las palas https://elperiodicodelaenergia.com/iberdrola-implanta-un-proyecto-para-disuadir-a-las-aves-en-tres-parques-eolicos-de-navarra-y-cadiz/ de los grandes generadores eólicos para reducir hasta un 70% el impacto de aves. — También han puesto unos vinilos con forma de "ojo" en la base para ahuyentar a las rapaces.  Sony realizará loterías de PlayStation 5 para decidir quien puede comprarlas. La continuada escasez por segundas navidades seguidas fuerza al fabricante japonés a racionar la venta de PlayStation 5 en algunos países, dejando una remesa exclusiva https://www.playstation.com/en-us/ps5/register-to-buy/ para sus clientes "basado en actividad del pasado", y limitada a una por PSN ID.  Los vendedores de Amazon te podrán preguntar por qué les has dejado una mala reseña. El comercio digital crea una nueva herramienta de comunicación directa con los clientes que dejen una reseña de 1, 2 ó 3 estrellas https://www.ecommercebytes.com/2021/10/13/amazon-offers-some-sellers-a-new-contact-customer-tool/. Puede ser útil, porque incluso podrán ofrecer devoluciones directamente, pero me temo que muchos la usarán para acosar a los clientes.  Microsoft lanza Sysmon para Linux. La potente y tradicional herramienta de monitorización de eventos de Windows ahora tendrá una versión para Linux https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-linux-version-of-the-windows-sysmon-tool/ que además es de código abierto https://github.com/Sysinternals/SysmonForLinux. Muy utilizada por expertos de seguridad, aunque en Linux existe Audit https://rubensa.wordpress.com/2018/07/23/auditando-sistemas-linux-con-el-demonio-audit/, pero creo que es menos potente. — Por favor inundadme de quejas el email si estoy equivocado.  LinkedIn cierra en China. Millones de chinos protestan en las calles porque no podrán unirse a las redes de contactos de sus amigos y familiares nunca más. Ahora en serio, Microsoft ha cortado por lo sano https://blog.linkedin.com/2021/october/14/china-sunset-of-localized-version-of-linkedin-and-launch-of-new-injobs-app tras las presiones del gobierno para censurar la plataforma. — Sacarán una app más sencilla sin aspecto social llamada "InJobs" en el futuro.

In our last episode, we interviewed John Strand of Black Hills Information Security. Now it's time to analyze what he said. For this episode, we're looking at the technical side of the interview. We're saving the training portion for another episode. LINKS1. The Essential 8 from Australia 2. DeepBlueCLI3. Sysmon 4. Elastic Stack - ELK5. Security Onion 6. LogonTracer 7. sigma 8. JPCERT Tools 9. JPCERT: Tool Analysis Results Sheet FIND US ON1. Facebook2. Twitter - DamienHull

Are you struggling to find information on how to use Sysmon for your security efforts? In this episode, Carlos Perez, a Research Team lead at TrustedSec, shares all about the TrustedSec Sysmon Community Guide. Discover why Carlos created this guide and how it helps empower defenders with the information they need to leverage this great tool. Also, listen in to hear about Carlos’s extensive knowledge gained in working to detect attackers.

Sysmon is a free endpoint monitoring tool published by Microsoft in their sysinternals suite. It generates process creations, network connections, file creations, DNS, and now clipboard monitoring with v12. We'll discuss what's in the events and how to easily visualize and search them with Gravwell's new Sysmon Kit. This segment is sponsored by Gravwell.   Show Notes: https://wiki.securityweekly.com/psw671 Visit https://securityweekly.com/gravwell to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! 

Sysmon is a free endpoint monitoring tool published by Microsoft in their sysinternals suite. It generates process creations, network connections, file creations, DNS, and now clipboard monitoring with v12. We'll discuss what's in the events and how to easily visualize and search them with Gravwell's new Sysmon Kit. This segment is sponsored by Gravwell.   Show Notes: https://wiki.securityweekly.com/psw671 Visit https://securityweekly.com/gravwell to learn more about them! Visit https://www.securityweekly.com/psw for all the latest episodes! 

V důsledku ransomware útoku zemřel pacient poté, co musel být převezen do o hodinu vzdálenější nemocnice, zranitelnost CVE-2020-1472 a Sysmon verze 12.0.

https://tivia.fi/2020/09/01/vuoden-2020-vuoden-tietoturvapaallikko-on-valittu/Teemu Mäkelästä vuoden tietoturvapäällikköhttps://koronavilkku.fiKoronavilkku-sovelluksen kotisivuhttps://thl.fi/documents/533963/5860112/Johdon_tiivistelm%C3%A4-Koronavilkku-arviointi_25.08.2020.pdf/221c17db-05dd-4222-c001-2124ec9cbbd8?t=1598597462979Kyberturvallisuuskeskuksen selonteko Koronavilkku-sovelluksestahttps://yle.fi/uutiset/3-11523504Hakkeri Benjamin Särkän haastattelu Koronavilkku-sovelluksestahttps://www.hs.fi/teknologia/art-2000006621797.htmlKyberturvallisuusyhtiö Nixun selvitys Koronavilkku-sovelluksestahttps://darkweblink.com/alphabay-moderator-sentenced/AlphaBayn moderaattorille 11 vuotta vankeuttahttps://docs.microsoft.com/en-us/sysinternals/downloads/sysmonMicrosoftin Sysmon-työkalu parantaa valvontaahttps://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/Windows Defenderiä voi käyttää... haittaohjelmien lataamiseen?https://lolbas-project.github.io/Kokoelma käyttöjärjestelmien sisäänrakennettuja työkaluja hakkerointikäyttöönhttps://gtfobins.github.io/Och samma på Linuxhttps://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/Microsoftin Defender-virustorjuntaohjelmaa voi käyttää tiedostojen noutamiseen verkosta

Sysmon 11.10 and ADS Logging https://isc.sans.edu/forums/diary/Sysmon+and+Alternate+Data+Streams/26292/ Paloalto PAN-OS SAML Vulnerability https://security.paloaltonetworks.com/CVE-2020-2021 Cisco Telnet Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-telnetd-EFJrEzPx https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html

Sysmon 11.10 and ADS Logging https://isc.sans.edu/forums/diary/Sysmon+and+Alternate+Data+Streams/26292/ Paloalto PAN-OS SAML Vulnerability https://security.paloaltonetworks.com/CVE-2020-2021 Cisco Telnet Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-telnetd-EFJrEzPx https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html

Ashwin Patil, senior program manager at Microsoft's Threat Intelligence Center, shares how he built the AWS threat hunting samples for Azure Sentinel, what he loves about Jupyter and we re-visit the subject of Sysmon as previously discussed with Olaf Hartong. We also answer listener questions and get tips on how to start a career in cybersecurity.

Olaf Hartong, data dweller at FalconForce, talks about Sysmon, EDR tools, his work with Microsoft Defender ATP and Azure Sentinel, and his proposal for a rainbow of tactics in MITRE ATT&CK.

Exploring the Sysmon 11 File Deletion Protection https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/ Digicert CT Compromise https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM WebLogic Flaw (new one..) Exploited in the Wild https://blogs.oracle.com/security/apply-april-2020-cpu

Čtvrtletní nárůst podvodných digitálních transakcí o 20%, autoři ransomwaru Shade publikovali šifrovací klíče a dekryptor, byla publikována verze 11.0 nástroje Sysmon a Izrael varuje před kybernetickými útoky na vodohospodářské a energetické organizace.

Exploring the Sysmon 11 File Deletion Protection https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/ Digicert CT Compromise https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM WebLogic Flaw (new one..) Exploited in the Wild https://blogs.oracle.com/security/apply-april-2020-cpu

Privacy Preserving Protocols to Trace Covid19 Exposure https://isc.sans.edu/forums/diary/Privacy+Preserving+Protocols+to+Trace+Covid19+Exposure/26066/ Google Chrome Update https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security Updated Version of Sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon https://techcommunity.microsoft.com/t5/sysinternals-blog/sysmon-v11-0-livekd-v5-63-process-explorer-v16-32-coreinfo-v3-5/ba-p/1345153 Shade Ransomware Keys Released https://github.com/shade-team/keys/blob/master/README.md Exploiting the Exploiters https://medium.com/@curtbraz/exploiting-the-exploiters-46fd0d620fd8

Privacy Preserving Protocols to Trace Covid19 Exposure https://isc.sans.edu/forums/diary/Privacy+Preserving+Protocols+to+Trace+Covid19+Exposure/26066/ Google Chrome Update https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security Updated Version of Sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon https://techcommunity.microsoft.com/t5/sysinternals-blog/sysmon-v11-0-livekd-v5-63-process-explorer-v16-32-coreinfo-v3-5/ba-p/1345153 Shade Ransomware Keys Released https://github.com/shade-team/keys/blob/master/README.md Exploiting the Exploiters https://medium.com/@curtbraz/exploiting-the-exploiters-46fd0d620fd8

Attackers are increasingly using a 'living off the land' approach, often using crypto mining malware, EternalBlue, timing, or other attacks that leverage the Windows Management Instrumentation Command Line. These attacks typically don't generate any events via conventional Sysmon and PowerShell, so even if you're pulling in those logs you likely won't see them. Join this session to learn how to detect and protect your organization from these advanced WMI-based attacks. Speaker(s) Ryan Becwar, Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1550.pdf?podcast=1577146229 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Initial compromises happen on your endpoints, so why are you not Splunking them? In this edition of Splunking The Endpoint, we will tell you exactly what to configure in Splunk, and where, why, and how to do so in order to get unparalleled visibility into threats targeting your network. Not only will we revisit popular operating system and open-source endpoint data sources like Sysmon and Osquery, but we'll also talk about various popular commercial EDR products and give you best practices for collecting data from them. Lastly, we'll help you address any doubts about scale problems and licensing costs.Please bring your laptop! We will dive through the latest Boss of the SOC (BOTS) endpoint data and demonstrate the detection techniques needed to answer BOTS questions. Everything you learn will be something you can take home and put into production immediately. Speaker(s) James Brodsky, Director, Global Security Kittens, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2007.pdf?podcast=1577146268 Product: Splunk Enterprise, Splunk Business Flow, Splunk Data Fabric Search and Data Stream Processor Track: Security, Compliance and Fraud Level: Good for all skill levels

Initial compromises happen on your endpoints, so why are you not Splunking them? In this edition of Splunking The Endpoint, we will tell you exactly what to configure in Splunk, and where, why, and how to do so in order to get unparalleled visibility into threats targeting your network. Not only will we revisit popular operating system and open-source endpoint data sources like Sysmon and Osquery, but we'll also talk about various popular commercial EDR products and give you best practices for collecting data from them. Lastly, we'll help you address any doubts about scale problems and licensing costs.Please bring your laptop! We will dive through the latest Boss of the SOC (BOTS) endpoint data and demonstrate the detection techniques needed to answer BOTS questions. Everything you learn will be something you can take home and put into production immediately. Speaker(s) James Brodsky, Director, Global Security Kittens, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2007.pdf?podcast=1577146230 Product: Splunk Enterprise, Splunk Business Flow, Splunk Data Fabric Search and Data Stream Processor Track: Security, Compliance and Fraud Level: Good for all skill levels

Attackers are increasingly using a 'living off the land' approach, often using crypto mining malware, EternalBlue, timing, or other attacks that leverage the Windows Management Instrumentation Command Line. These attacks typically don't generate any events via conventional Sysmon and PowerShell, so even if you're pulling in those logs you likely won't see them. Join this session to learn how to detect and protect your organization from these advanced WMI-based attacks. Speaker(s) Ryan Becwar, Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1550.pdf?podcast=1577146233 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Attackers are increasingly using a 'living off the land' approach, often using crypto mining malware, EternalBlue, timing, or other attacks that leverage the Windows Management Instrumentation Command Line. These attacks typically don't generate any events via conventional Sysmon and PowerShell, so even if you're pulling in those logs you likely won't see them. Join this session to learn how to detect and protect your organization from these advanced WMI-based attacks. Speaker(s) Ryan Becwar, Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1550.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Initial compromises happen on your endpoints, so why are you not Splunking them? In this edition of Splunking The Endpoint, we will tell you exactly what to configure in Splunk, and where, why, and how to do so in order to get unparalleled visibility into threats targeting your network. Not only will we revisit popular operating system and open-source endpoint data sources like Sysmon and Osquery, but we'll also talk about various popular commercial EDR products and give you best practices for collecting data from them. Lastly, we'll help you address any doubts about scale problems and licensing costs.Please bring your laptop! We will dive through the latest Boss of the SOC (BOTS) endpoint data and demonstrate the detection techniques needed to answer BOTS questions. Everything you learn will be something you can take home and put into production immediately. Speaker(s) James Brodsky, Director, Global Security Kittens, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2007.pdf?podcast=1577146248 Product: Splunk Enterprise, Splunk Business Flow, Splunk Data Fabric Search and Data Stream Processor Track: Security, Compliance and Fraud Level: Good for all skill levels

Attackers are increasingly using a 'living off the land' approach, often using crypto mining malware, EternalBlue, timing, or other attacks that leverage the Windows Management Instrumentation Command Line. These attacks typically don't generate any events via conventional Sysmon and PowerShell, so even if you're pulling in those logs you likely won't see them. Join this session to learn how to detect and protect your organization from these advanced WMI-based attacks. Speaker(s) Ryan Becwar, Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1550.pdf?podcast=1577146224 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Initial compromises happen on your endpoints, so why are you not Splunking them? In this edition of Splunking The Endpoint, we will tell you exactly what to configure in Splunk, and where, why, and how to do so in order to get unparalleled visibility into threats targeting your network. Not only will we revisit popular operating system and open-source endpoint data sources like Sysmon and Osquery, but we'll also talk about various popular commercial EDR products and give you best practices for collecting data from them. Lastly, we'll help you address any doubts about scale problems and licensing costs.Please bring your laptop! We will dive through the latest Boss of the SOC (BOTS) endpoint data and demonstrate the detection techniques needed to answer BOTS questions. Everything you learn will be something you can take home and put into production immediately. Speaker(s) James Brodsky, Director, Global Security Kittens, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2007.pdf?podcast=1577146225 Product: Splunk Enterprise, Splunk Business Flow, Splunk Data Fabric Search and Data Stream Processor Track: Security, Compliance and Fraud Level: Good for all skill levels

Initial compromises happen on your endpoints, so why are you not Splunking them? In this edition of Splunking The Endpoint, we will tell you exactly what to configure in Splunk, and where, why, and how to do so in order to get unparalleled visibility into threats targeting your network. Not only will we revisit popular operating system and open-source endpoint data sources like Sysmon and Osquery, but we'll also talk about various popular commercial EDR products and give you best practices for collecting data from them. Lastly, we'll help you address any doubts about scale problems and licensing costs.Please bring your laptop! We will dive through the latest Boss of the SOC (BOTS) endpoint data and demonstrate the detection techniques needed to answer BOTS questions. Everything you learn will be something you can take home and put into production immediately. Speaker(s) James Brodsky, Director, Global Security Kittens, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2007.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Business Flow, Splunk Data Fabric Search and Data Stream Processor Track: Security, Compliance and Fraud Level: Good for all skill levels

This week, we welcome Peter Smith, Founder and CEO of Edgewise, to talk about Edgewise's 1 Click Micro Segmentation! In the second segment, we welcome back Corey Thuen, Co-Founder and CEO of Gravwell, to talk about security analytics using the new Sysmon DNS Logging that dropped this week! In the Security News, the rise of purple teaming, the World's largest beer brewer sets up a Cybersecurity team, a mystery signal shutting down key fobs in an Ohio neighborhood, why hackers ignore most security flaws, and warnings of real world-wide worm attacks are the real deal!   To get involved with Edgewise, visit: https://securityweekly.com/edgewise To get involved with Gravwell, visit: https://securityweekly.com/gravwell Full Show Notes: https://wiki.securityweekly.com/Episode608   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

We welcome back Corey Thuen, Founder and CEO of Gravwell, to talk about security analytics using the new Sysmon DNS logging that dropped this week! To get involved with Gravwell, visit: https://securityweekly.com/gravwell Full Show Notes: https://wiki.securityweekly.com/Episode608 Follow us on Twitter: https://www.twitter.com/securityweekly

This week, we welcome Peter Smith, Founder and CEO of Edgewise, to talk about Edgewise's 1 Click Micro Segmentation! In the second segment, we welcome back Corey Thuen, Founder and CEO of Gravwell, to talk about security analytics using the new Sysmon DNS Logging that dropped this week! In the Security News, the rise of purple teaming, the World's largest beer brewer sets up a Cybersecurity team, a mystery signal shutting down key fobs in an Ohio neighborhood, why hackers ignore most security flaws, and warnings of real world-wide worm attacks are the real deal!   To get involved with Edgewise, visit: https://securityweekly.com/edgewise To get involved with Gravwell, visit: https://securityweekly.com/gravwell Full Show Notes: https://wiki.securityweekly.com/Episode608   Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

We welcome back Corey Thuen, Founder and CEO of Gravwell, to talk about security analytics using the new Sysmon DNS logging that dropped this week! To get involved with Gravwell, visit: https://securityweekly.com/gravwell Full Show Notes: https://wiki.securityweekly.com/Episode608 Follow us on Twitter: https://www.twitter.com/securityweekly

Snap Patches Available https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing Finding Property Values in Office Documents https://isc.sans.edu/forums/diary/Finding+Property+Values+in+Office+Documents/24652/ Bro-Sysmon https://engineering.salesforce.com/test-out-bro-sysmon-a6fad1c8bb88 Cryptojacking Apps in Microsoft App Store https://www.symantec.com/blogs/threat-intelligence/cryptojacking-apps-microsoft-store

Snap Patches Available https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing Finding Property Values in Office Documents https://isc.sans.edu/forums/diary/Finding+Property+Values+in+Office+Documents/24652/ Bro-Sysmon https://engineering.salesforce.com/test-out-bro-sysmon-a6fad1c8bb88 Cryptojacking Apps in Microsoft App Store https://www.symantec.com/blogs/threat-intelligence/cryptojacking-apps-microsoft-store

Carlos Perez delivers the Technical Segment on How to Operate Offensively Against Sysmon. He talks about how SysMon allows him to create rules, and track specific types of tradecraft, around process creation and process termination. He dives into network connection, driver loading, image loading, creation of remote threats, and more! Full Show Notes: https://wiki.securityweekly.com/Episode577 Visit https://www.securityweekly.com/psw for all the latest episodes! 

Carlos Perez delivers the Technical Segment on How to Operate Offensively Against Sysmon. He talks about how SysMon allows him to create rules, and track specific types of tradecraft, around process creation and process termination. He dives into network connection, driver loading, image loading, creation of remote threats, and more! Full Show Notes: https://wiki.securityweekly.com/Episode577 Visit https://www.securityweekly.com/psw for all the latest episodes!