Deploying Sysmon through Group Policy (GPO) Preferences

In my previous post I explained how to leverage Group Policy Preferences to deploy and update Sysmon configuration in the enterprise. I decided to write a script to automate the entire process. What you need to have in order to run this script? A baseline computer with the following: Sysmon installed and Sysmon XML configuration…

0

Update: Sysmon configuration file version 8

This new version of config_v8.xml adds the latest additions from Sysmon : FileCreateStreamHash events PipeEvent events WmiEvent events In addition, the XML was cleaned and all the events categories are now ordered by the event number. Link to file: https://github.com/MotiBa/Sysmon/ 

0

Sysinternals Sysmon suspicious activity guide

Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log. You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log. This guide will help you to investigate and appropriately handle these events….

16

Duck and cover or how AtomBombing is really unnecessarily alarmism

The so-called AtomBombing code injection technique discovered by Tal Liberman seemed to be getting a lot of attention recently. Websites like thehackernews describe the issue as: “no existing anti-malware tools can detect” and “…What’s worse? The company said all versions of Windows operating system, including Microsoft’s newest Windows 10, were affected. And What’s even worse? There…

5

Sysinternals Sysmon unleashed

Introduction Warning: This post recommends Sysmon monitoring policy implementations that are not official Microsoft recommendations. Readers are encouraged to review and test all policy recommendations prior to their implementation in a production environment. Sysmon from Sysinternals is a very powerful Host-level tracing tool, which can assist you in detecting advanced threats on your network. In…

7