「Microsoft Sysmon が実行可能ファイルの作成を検出するようになりました」： BLEEPINGCOMPUTER

「Microsoft は Sysmon 15 をリリースし、保護されたプロセスに変換し、実行可能ファイルの作成時にログを記録する新しい「FileExecutableDetected」オプションを追加しました。 」

https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-when-executables-files-are-created/

#prattohome #Microsoft #Windows #Sysmon #更新

Humbled by the overwhelming response to my latest blog series, "So you want to be a SOC analyst?"

I had a lot of fun building this hands-on lab guide to help folks get some practical experience with tools like #Sliver, #Sysmon, and @limacharlieio EDR.

Part 1 - Set up a small virtualization environment (2 small VMs)
Part 2 - Put on your adversary hat, it's time to make (and observe) some noise
Part 3 - Emulating an adversary for crafting detections

for any other @limacharlieio nerds out there, example D&R rule for deploying sysmon to windows systems 🌈

this assumes you have already uploaded 2 payloads to the org--the sysmon exe and the xml config file

https://gist.github.com/shortstack/185de7071cc29a0907f96f51cacf7c32

#sysmon #sysinternals #limacharlie

Need help getting started with #sysmon?

Check out our Youtube video at:
https://www.youtube.com/watch?v=Xz-7oDrZdQY

Zwar auf der Sysinternals-Webseite noch nicht ersichtlicht, aber #Microsoft hat einige neue Versionen seiner Tools veröffentlich, u.a. #sysmon, mit dem ich mich gerade täglich beschäftigte.

https://live.sysinternals.com/

RT @securityonion@twitter.com

ICYMI last week we released #SecurityOnion 2.3.200!

It's a great way to collect, visualize, and hunt through the #Sysmon logs in your environment!

As always, thanks to @markrussinovich@twitter.com and team for #Sysmon!

#infosec
#infosecurity
#cybersecurity
#ThreatHunting
#DFIR https://twitter.com/securityonion/status/1615380508703178752

🐦🔗: https://twitter.com/securityonion/status/1617625514356928513

Nota mental para mi yo del futuro: cuando estás toqueteando varias versiones de #Sysmon, NO renombres el binario para diferenciar las versiones, pq Windows creará un servicio con el nombre del binario, y luego para desinstalar se/te/nos volveremos todos locos! 🤪

RT @securityonion@twitter.com

#SecurityOnion 2.3.200 now available including Sysmon Improvements, Dashboard Updates, and Elastic 8.5.3!
https://blog.securityonion.net/2023/01/security-onion-23200-now-available.html

Thanks to @markrussinovich@twitter.com and team for #Sysmon!

🐦🔗: https://twitter.com/securityonion/status/1615380508703178752

#SecurityOnion 2.3.200 now available including #Sysmon Improvements, Dashboard Updates, and Elastic 8.5.3!

https://blog.securityonion.net/2023/01/security-onion-23200-now-available.html

We often use Sysmon to log system activity on Windows, but what if we are using Linux?

You can use:
1. SysmonForLinux: https://github.com/Sysinternals/SysmonForLinux
2. Audiod: https://linux.die.net/man/8/auditd

Unfortunately, SysmonForLinux is still limited to a few events and they can not log all activities such as DNSEvent (EventID 22).
Let me know what you're using for Linux.

#Sysmon #SysmonForLinux #cybersecurity

Logging ohne adäquat konfigurierte Datenquellen ist möglich, aber sinnlos!
(Zitat: Loriot ... oder so 😉)

Da ich gerade einige entsprechende Anpassungen an unseren #Windows Servern vornehme, hier der Hinweis auf ein extrem nützliches Skript von #hayabusa, um Windows Event Logs so einzurichten, damit #threathunting oder einfach nur Serverüberwachung wirklich Sinn macht:

https://github.com/Yamato-Security/EnableWindowsLogSettings

#Infosec #DFIR #Sysmon

ok , i want to share something for #Blueteamers about "#chatgpt " or "#Youdotcom" #ai websites how much is good/helpful for you and how you can use them to make your own #defensive tools (very fast) but always as #developer you will have your own #bugs so you need work hard on these things , i will create article about this but in this post i will show you with very basic steps you can make your own C# or C++ tools for [Remote thread injection Detection] as you can see in "you.com", my search for monitoring #sysmon event-log [#realtime ] via c# for two EID 8,25 (but you need process creation/network connection event ids too) and our search result have two codes which both have same result, so now with #csharp you can detect these event (king of real-time) also you need Memory scanner which my simple search result was something like this pic but i did not test that (for sure, is working or not) i had my own #memoryscanner tools and C# codes ;D , ...

note : sometimes these codes in these AI platforms which made by others is better than your own old codes so you can replace them (for example for memory scanner i will test this simple code which seems is better and faster than some of part of my own codes ;D but should test in my LAB for sure..)

and finally you can see my own Blue-teaming "SysPM2Mon2.7.exe" tools (which background of code was something like these steps in these pictures but my memory scanner is "Pe-sieve.exe" + my own C# code for Memory scanner, i had 2 memory scanners in this tool ;D)
so as you can see As #Pentester and #SecurityResearcher i made my own Blue-teaming tools (#opensource which is available in my github) so you can do same things with your own IDEA , but now with these #ai "Chatgpt" , "YOU.COM" , ... websites you can make them faster and much better...
i will create an article about this but i am working on my things and research about my new ebook also some codes for ebook, so i am very busy to make article now but i will create that ;)
#blueteam #redteam #pentesting #securityresearch #defensive #ai #chatgpt #youdotcom

What do y'all think about a #C2 detection series including #SecurityOnion and #Velociraptor, illustrating the compliments and differences of host and network-based detection and response?

#BruteRatel
#CobaltStrike
#DFIR
#ESM
#Havoc
#Infosec
#NSM
#Sliver
#Sysmon

RT @malmoeb
If an attacker runs #Bloodhound without the parameter "ZipFileName", the default results file is named "<timestamp>_BloodHound.zip". Defenders can use #Sysmon to monitor file creation events to detect potential attackers on the network.

@dwmetz Yes, I've checked these before and there is currently no such event; haven't been able to see it. The #Sysmon one does exist, but I want to see what else is there, because what if we don't have Sysmon on the endpoint! Thanks Doug!

I still have not found the answer to this and it would be great use to so many if there is an answer.

What is the Event ID for when a Volume Shadow Copy gets deleted? I know #Sysmon can show you this, but is there anything else? #DFIR #DigitalForensics #SOC #SIEM #BlueTeam #malware

I still have not found the answer to this and it would be great use to so many if there is an answer.

What is the Event ID for when a Volume Shadow Copy gets deleted? I know #Sysmon can show you this, but is there anything else? #DFIR #DigitalForensics #SOC #SIEM #BlueTeam #malware

Updated our sysmon-config template to System Monitor (Sysmon) v14.13 and schema v4.82:

https://github.com/THREATINT/sysmon-config

#sysmon #sysinternals #microsoft

SysmonEoP, Proof of Concept for arbitrary file delete/write in Sysmon. #sysmon

https://github.com/Wh04m1001/SysmonEoP

A lo mejor no te has enterado, pero hace un par de días salió una PoC para la vulnerabilidad de #Sysmon de escalada de privilegios: https://github.com/Wh04m1001/SysmonEoP La vulnerabilidad afecta a la capacidad de capturar el portapapeles (aka clipboard) (1/n)