Many SIEM installations use sysinternals sysmon as one of many data sources. Mark Russinovich (Microsoft Azure CTO, co-creator of sysinternals) released a video explaining some of the new features of Sysmon 11, which was released on 28th April.
A new useful feature is archiving a file, just before it is deleted. Some attackers delete their tools after gathering information. In order to understand their tools or even search for MD5 or imphashes, the sysmon 11 archiving function can be helpful.
(Source: https://www.youtube.com/watch?v=_MUP4tgdM7s)
Subscribe to:
Post Comments (Atom)
-
Mitres Att&ck framework writes about persistence TA0003 : " The adversary is trying to maintain their foothold. " There are m... -
You can either use the GUI of the FortiGate to list all certificates, or use the CLI. Either using the commands: Using the "get...
-
If you are running a Windows Server 2016, are using the integrated Windows Server Backup utility and you want to save the backup to a remote...
No comments:
Post a Comment