Security Onion Conference - 2015

#SOCAugusta
@DefensiveDepth
Sysmon &
Security Onion
• Why?
• Sysmon
• Detection Techniques
Roadmap
-Sysinternal’s Tool (released 8/14, current v3.1)
-Installed as a Windows Service, logs:
-Process creation with full command line
-Parent Process with full command line
-Hash of process image file (SHA1 + more)
-Network Connections, tied to process
-Loaded Drivers & DLLs (sigs & hashes)
-File Creation Time
+More!
Sysmon
Sysmon
sysmon.exe –i -acceptuela
Sysmon - Deployment
Sysmon – Filtering
Sysmon – Collection & Parsing
Real-Time Alerting:
OSSEC + SGUIL/ELSA
Historical/Investigation:
ELSA
Detection
-Image Location
svchost.exe  System32/syswow64
-Run As
svchost.exe  Local System, Network Service, Local Service
-Parent Process
svchost.exe  Services.exe
-How many instances?
svchost.exe  5+
-Other
svchost.exe  -k “param”
Detection:
Process Abnormalities
Poweliks
• Image: dllhost.exe
• Command Line: none
• ParentImage: Powershell.exe
• Command Line: /Processid:{}
• ParentImage: svchost.exe
Detection:
Process Abnormalities
-cmd.exe, powershell.exe, at.exe
-Context Specific!
Detection:
Abnormal Application Usage
Detection:
Abnormal Application Usage
Detection:
Suspicious Application Usage
-OSSEC CDB List Lookup
-IOCs
-Sysinternal’s PsExec (Context Specific!)
-2011 – 2014 Hashes
Detection:
Hash Lookups
-Certain apps that should never initiate
connections?
-Processes initiating connections on 80/443?
Detection:
Network Connections
Detection:
Process Injection
Detection:
Loaded Drivers
-Plan & Filter Events
-Event Forwarding - Finicky
Visibility!
Running in Production
-Rulesets (Sysmon + OSSEC)
-Process Abnormalities
-Abnormal Applications
-Network Connections
-Process Injections outside of norm
-Loading Drivers outside of norm
Future Work
Questions or Comments?
Josh@DefensiveDepth.com
@DefensiveDepth
Sysmon &
Security Onion
1 of 20

Recommended

Intro to NSM with Security Onion - AusCERT by
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
6.4K views22 slides
Security Onion by
Security OnionSecurity Onion
Security Onionjohndegruyter
9.8K views27 slides
Security Onion - Brief by
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
6K views13 slides
Suricata by
SuricataSuricata
Suricatatex_morgan
48K views29 slides
Security Onion Conference - 2016 by
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016DefensiveDepth
2.3K views23 slides
Black Hat 2015 Arsenal: Noriben Malware Analysis by
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBrian Baskin
27.9K views17 slides

More Related Content

What's hot

Security Onion - Introduction by
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introductionn|u - The Open Security Community
12.5K views18 slides
Security Onion: peeling back the layers of your network in minutes by
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
2K views26 slides
Database Firewall with Snort by
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
3.9K views26 slides
Backtrack os 5 by
Backtrack os 5Backtrack os 5
Backtrack os 5Ayush Goyal
4.5K views15 slides
Backtrack by
BacktrackBacktrack
BacktrackOne97 Communications Limited
1.8K views19 slides

What's hot(20)

Security Onion: peeling back the layers of your network in minutes by bsidesaugusta
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
bsidesaugusta2K views
Backtrack os 5 by Ayush Goyal
Backtrack os 5Backtrack os 5
Backtrack os 5
Ayush Goyal4.5K views
BackTrack5 - Linux by mariuszantal
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
mariuszantal4.2K views
Nessus v6 command_line_reference by Craig Cannon
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_reference
Craig Cannon2.9K views
Defensive information warfare on open platforms by Ben Tullis
Defensive information warfare on open platformsDefensive information warfare on open platforms
Defensive information warfare on open platforms
Ben Tullis5.9K views
Suricata: A Decade Under the Influence (of packet sniffing) by Jason Williams
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams21.9K views
Introduction To Linux Security by Michael Boman
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman1.5K views
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D... by APNIC
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
APNIC350 views
Hardening Linux and introducing Securix Linux by Security Session
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session4.8K views
Telehack: May the Command Line Live Forever by Gregory Hanis
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
Gregory Hanis3.7K views

Viewers also liked

Security Operation Center - Design & Build by
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
95.1K views41 slides
Security Operations Center (SOC) Essentials for the SME by
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
9.9K views22 slides
2014 Security Onion Conference by
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion ConferenceDefensiveDepth
2.3K views24 slides
RSA Anatomy of an Attack by
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attackintegritysolutions
3.6K views25 slides
Blackhat Workshop by
Blackhat WorkshopBlackhat Workshop
Blackhat Workshopwremes
2K views56 slides
Workshop ssh (OSSEC) by
Workshop ssh (OSSEC)Workshop ssh (OSSEC)
Workshop ssh (OSSEC)Akram Rekik
518 views12 slides

Viewers also liked(20)

Security Operation Center - Design & Build by Sameer Paradia
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia 95.1K views
Security Operations Center (SOC) Essentials for the SME by AlienVault
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault9.9K views
2014 Security Onion Conference by DefensiveDepth
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion Conference
DefensiveDepth2.3K views
Blackhat Workshop by wremes
Blackhat WorkshopBlackhat Workshop
Blackhat Workshop
wremes2K views
Workshop ssh (OSSEC) by Akram Rekik
Workshop ssh (OSSEC)Workshop ssh (OSSEC)
Workshop ssh (OSSEC)
Akram Rekik518 views
Windows Firewall & Its Configuration by Soban Ahmad
Windows Firewall & Its ConfigurationWindows Firewall & Its Configuration
Windows Firewall & Its Configuration
Soban Ahmad724 views
Securing Hadoop with OSSEC by Vic Hargrave
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
Vic Hargrave1.9K views
Ossec – host based intrusion detection system by Hai Dinh Tuan
Ossec – host based intrusion detection systemOssec – host based intrusion detection system
Ossec – host based intrusion detection system
Hai Dinh Tuan2.5K views
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015 by Claus Cramon Houmann
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
IDS+Honeypots Making Security Simple by Gregory Hanis
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security Simple
Gregory Hanis2.8K views
Managing Your Security Logs with Elasticsearch by Vic Hargrave
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave6.1K views
Aws security with HIDS, OSSEC by Mayank Gaikwad
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
Mayank Gaikwad4.5K views
Open Source IDS Tools: A Beginner's Guide by AlienVault
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
AlienVault3K views
Improve Threat Detection with OSSEC and AlienVault USM by AlienVault
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault3.4K views
DEF CON 23 - NSM 101 for ICS by Chris Sistrunk
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk10.5K views
Malware Detection with OSSEC HIDS - OSSECCON 2014 by Santiago Bassett
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett19.4K views
Advanced OSSEC Training: Integration Strategies for Open Source Security by AlienVault
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault11.3K views
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014 by Santiago Bassett
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Santiago Bassett18.2K views

Similar to Security Onion Conference - 2015

Operating System Forensics by
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
517 views10 slides
Stop pulling the plug by
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur
757 views17 slides
A Threat Hunter Himself by
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
6.3K views31 slides
A Threat Hunter Himself by
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
1.2K views31 slides
opensource Monitoring Tool , an overview by
opensource Monitoring Tool , an overviewopensource Monitoring Tool , an overview
opensource Monitoring Tool , an overviewKris Buytaert
4.3K views71 slides
BSides Vancouver 2018 - Live IR on a Budget by
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budgetdsplice
107 views20 slides

Similar to Security Onion Conference - 2015(20)

Operating System Forensics by ArunJS5
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5517 views
opensource Monitoring Tool , an overview by Kris Buytaert
opensource Monitoring Tool , an overviewopensource Monitoring Tool , an overview
opensource Monitoring Tool , an overview
Kris Buytaert4.3K views
BSides Vancouver 2018 - Live IR on a Budget by dsplice
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budget
dsplice107 views
Open Source Monitoring Tools Shootout by tomdc
Open Source Monitoring Tools ShootoutOpen Source Monitoring Tools Shootout
Open Source Monitoring Tools Shootout
tomdc12.1K views
Malware collection and analysis by Chong-Kuan Chen
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
Chong-Kuan Chen1.8K views
Usage aspects techniques for enterprise forensics data analytics tools by Damir Delija
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics tools
Damir Delija2.1K views
MNSEC 2018 - Windows forensics by MNCERT
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
MNCERT882 views
System Imager.20051215 by guest95b42b
System Imager.20051215System Imager.20051215
System Imager.20051215
guest95b42b592 views
Sasa milic, cisco advanced malware protection by Dejan Jeremic
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
Dejan Jeremic1.8K views
Electornic evidence collection by Fakrul Alam
Electornic evidence collectionElectornic evidence collection
Electornic evidence collection
Fakrul Alam2.4K views
Monitoring shootout loadays by tomdc
Monitoring shootout loadaysMonitoring shootout loadays
Monitoring shootout loadays
tomdc1.9K views
Securing the Container Pipeline at Salesforce by Cem Gurkok by Docker, Inc.
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
Docker, Inc.5.5K views

Recently uploaded

Special_edition_innovator_2023.pdf by
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdfWillDavies22
17 views6 slides
Business Analyst Series 2023 - Week 3 Session 5 by
Business Analyst Series 2023 -  Week 3 Session 5Business Analyst Series 2023 -  Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5DianaGray10
237 views20 slides
Tunable Laser (1).pptx by
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptxHajira Mahmood
24 views37 slides
SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
22 views38 slides
The Research Portal of Catalonia: Growing more (information) & more (services) by
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
79 views25 slides
Mini-Track: Challenges to Network Automation Adoption by
Mini-Track: Challenges to Network Automation AdoptionMini-Track: Challenges to Network Automation Adoption
Mini-Track: Challenges to Network Automation AdoptionNetwork Automation Forum
12 views27 slides

Recently uploaded(20)

Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2217 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 -  Week 3 Session 5Business Analyst Series 2023 -  Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10237 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors by sugiuralab
TouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition  Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab19 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely12 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta19 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex22 views
Piloting & Scaling Successfully With Microsoft Viva by Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson66 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Empathic Computing: Delivering the Potential of the Metaverse by Mark Billinghurst
Empathic Computing: Delivering  the Potential of the MetaverseEmpathic Computing: Delivering  the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst476 views

Security Onion Conference - 2015