Threat Hunting via Sysmon - SANS Blue Team Summit

Speaker: Eric Conrad, CTO, Backshore Communications; Senior Instructor, Co-Author SEC511 and SEC542, Author MGT514, SANS Institute

Windows Sysinternal's Sysmon offers a wealth of information regarding processes running in a Windows environment (including malware). This talk will focus on leveraging Sysmon logs to to centrally hunt malice in a Windows environment. Virtually all malware may be detected via event logs, especially after enabling Sysmon logs.

Sysmon includes advanced capabilities, including logging the import hash (imphash) of each process, which fingerprints the names and order of DLLs loaded by a portable executable. This provides an excellent way of tracking families of related malware.
We will also discuss updates to DeepWhite: an open source detective application whitelisting framework that relies on Microsoft Sysinternal's Sysmon and supports auto-submission of imphashes, EXE, DLL and driver hashes via a free Virustotal Community API key.

SANS Summit schedule: http://www.sans.org/u/DuS

The Blue Team Summit features presentations and panel discussions covering actionable techniques, new tools, and innovative methods that help cyber defenders improve their ability to prevent and detect attacks.