Extending Your Incident Response Capabilities with Sysmon

Tools (716AB) October 2, 2018 3:55 pm - 4:55 pm Feedback     

Bookmark and Share

Peter Morin

This presentation will introduce attendees to the free Sysinternals tool, Sysmon. Are you an incident responder? SOC analyst? Does your job require you to work with Windows event logs? Do you need to reconstruct attacker timelines?

  • We will look at the Sysmon tool and compare its outputs to standard EVT logs
  • Look at how Sysmon can be used to understand the effects of malware infections – the infection point, whether or not it has spread, and the effects on the infected system
  • Sysmon command line usage, understanding its events and configuration options including the use of configuration files
  • We will look at a number of use cases where Sysmon can improve your detection and IR capabilities