Hunting

My take - Rob at Errata Sec did a concise job of showing how to use sysmon to track down a weird pop-up. This one came from MS Office update. He uses the @SwiftonSecurity sysmon-config that I posted about recently. From the article: “How to track that annoying pop-up In a recent update to their Office suite on Windows, Microsoft made a mistake where every hour, for a fraction of a second, a black window pops up on the screen.

My take - @SwiftonSecurity released a config file for sysmon to help cut through the clutter. There is a steep learning curve with sysmon, so I wouldn’t recommend blindly applying this, but it definitely is a good starting point. I’ve also included a link below to Lennart Koopmann’s take on the config, which explains it a little more. From the article: “sysmon-config | A Sysmon configuration file for everybody to fork This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing.

My take - @MarkRussinovich did a very good presentation at RSAC covering the use of Sysmon to hunt hackers on your network. From the article: “Windows Forensic Monitoring Limitations - When attackers or malware get on your network, you need to construct a timeline What was the entry point? Did it spread between systems? What happened on a particular system? Built-in Windows tooling make it hard to answer these questions: Limited information captured for process creates and DLL loading Network connection information simultaneously too limited and verbose No way to capture common attacker behavior (e.