Deploying Sysmon through Group Policy (GPO) Preferences

In my previous post I explained how to leverage Group Policy Preferences to deploy and update Sysmon configuration in the enterprise. I decided to write a script to automate the entire process. What you need to have in order to run this script? A baseline computer with the following: Sysmon installed and Sysmon XML configuration…


Update: Sysmon configuration file version 8

This new version of config_v8.xml adds the latest additions from Sysmon : FileCreateStreamHash events PipeEvent events WmiEvent events In addition, the XML was cleaned and all the events categories are now ordered by the event number. Link to file: 


Sysinternals Sysmon suspicious activity guide

Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log. You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log. This guide will help you to investigate and appropriately handle these events….


Quickpost: Encrypting Azure Virtual Machine using BitLocker

Here are the steps that are required to encrypt the disk of Azure Virtual Machine. This is a very high level overview of the process, and I do recommend on reading the full guide: Open Azure portal and navigate to the virtual machine (Windows 2008 R2 and above) you want to encrypt and then…


Chasing Adversaries with Autoruns – evading techniques and countermeasures

Abstract Sysinternals Autoruns is a great utility for defenders to discover and disable malware and adversaries’ persistence points. There are similar programs, but as the author of Autoruns says: “(Autoruns) has the most comprehensive knowledge of auto-starting locations “, therefore the focus here is on Autoruns. In the last weeks couple of security researches (Kyle…


Securing remote connections

Consider the following scenario: a standard user was tricked to run a malicious code and his device was compromised. Typically, standard users do not have high privileges, so the next thing for the attackers is getting their hands on privileged accounts. How? They can delete an important file required by Office or by slowing down…


Locking up Your BitLocker

Hello, Today I want to talk about securing your Bitlocker-enabled devices against a common attack vector: Direct Memory Access/Side channel attack. BitLocker quick overview First, a little primer on how BitLocker works is in order Trusted Platform Module (TPM) is a hardware security device that stores a master key, or Storage Root Key (SRK), and…