DefensiveDepth, profile picture
Uploaded byDefensiveDepth
PPTX, PDF26,201 views

Security Onion Conference - 2015

Sysmon is a Windows system service and tool that monitors process creation and other system events. It provides visibility into process activity through logging process command lines, parent processes, file and network activity. The summary discusses how to deploy Sysmon, collect its logs, and analyze the logs for detections related to abnormal processes, applications, network connections, process injections and loaded drivers. It concludes with discussing rulesets for detections and future work.

Embed presentation

Downloaded 164 times
#SOCAugusta @DefensiveDepth Sysmon & Security Onion
• Why? • Sysmon • Detection Techniques Roadmap
-Sysinternal’s Tool (released 8/14, current v3.1) -Installed as a Windows Service, logs: -Process creation with full command line -Parent Process with full command line -Hash of process image file (SHA1 + more) -Network Connections, tied to process -Loaded Drivers & DLLs (sigs & hashes) -File Creation Time +More! Sysmon
Sysmon
sysmon.exe –i -acceptuela Sysmon - Deployment
Sysmon – Filtering
Sysmon – Collection & Parsing
Real-Time Alerting: OSSEC + SGUIL/ELSA Historical/Investigation: ELSA Detection
-Image Location svchost.exe  System32/syswow64 -Run As svchost.exe  Local System, Network Service, Local Service -Parent Process svchost.exe  Services.exe -How many instances? svchost.exe  5+ -Other svchost.exe  -k “param” Detection: Process Abnormalities
Poweliks • Image: dllhost.exe • Command Line: none • ParentImage: Powershell.exe • Command Line: /Processid:{} • ParentImage: svchost.exe Detection: Process Abnormalities
-cmd.exe, powershell.exe, at.exe -Context Specific! Detection: Abnormal Application Usage
Detection: Abnormal Application Usage
Detection: Suspicious Application Usage
-OSSEC CDB List Lookup -IOCs -Sysinternal’s PsExec (Context Specific!) -2011 – 2014 Hashes Detection: Hash Lookups
-Certain apps that should never initiate connections? -Processes initiating connections on 80/443? Detection: Network Connections
Detection: Process Injection
Detection: Loaded Drivers
-Plan & Filter Events -Event Forwarding - Finicky Visibility! Running in Production
-Rulesets (Sysmon + OSSEC) -Process Abnormalities -Abnormal Applications -Network Connections -Process Injections outside of norm -Loading Drivers outside of norm Future Work
Questions or Comments? Josh@DefensiveDepth.com @DefensiveDepth Sysmon & Security Onion

More Related Content

PPTX
Intro to NSM with Security Onion - AusCERT
byAshley Deuble
 
PPTX
Security Onion
byjohndegruyter
 
PPTX
Security Onion - Brief
byAshley Deuble
 
PDF
Suricata
bytex_morgan
 
PPTX
Security Onion Conference - 2016
byDefensiveDepth
 
PPTX
Black Hat 2015 Arsenal: Noriben Malware Analysis
byBrian Baskin
 
PPTX
Security onion
byKaustubh Padwad
 
PDF
Security Onion: Watching for Leeks
byKory Kyzar
 
Intro to NSM with Security Onion - AusCERT
byAshley Deuble
 
Security Onion
byjohndegruyter
 
Security Onion - Brief
byAshley Deuble
 
Suricata
bytex_morgan
 
Security Onion Conference - 2016
byDefensiveDepth
 
Black Hat 2015 Arsenal: Noriben Malware Analysis
byBrian Baskin
 
Security onion
byKaustubh Padwad
 
Security Onion: Watching for Leeks
byKory Kyzar
 

What's hot

PDF
Security Onion - Introduction
byn|u - The Open Security Community
 
PDF
Security Onion: peeling back the layers of your network in minutes
bybsidesaugusta
 
PDF
Database Firewall with Snort
byNarudom Roongsiriwong, CISSP
 
PPT
Backtrack os 5
byAyush Goyal
 
PPTX
Backtrack
byn|u - The Open Security Community
 
PPTX
Backtrack
byOne97 Communications Limited
 
PPTX
BackTrack5 - Linux
bymariuszantal
 
PDF
Nessus v6 command_line_reference
byCraig Cannon
 
PDF
Defensive information warfare on open platforms
byBen Tullis
 
PDF
Suricata: A Decade Under the Influence (of packet sniffing)
byJason Williams
 
ODP
Introduction To Linux Security
byMichael Boman
 
PDF
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
byAPNIC
 
PPT
Security tools
byGreater Noida Institute Of Technology
 
PPT
Linux Security
bynayakslideshare
 
PDF
Présentation et démo ELK/SIEM/Wazuh
byclevernetsystemsgeneva
 
ODP
Acid
byMichael Boman
 
PPTX
Hacker bootcamp
byGregory Hanis
 
PDF
Hardening Linux and introducing Securix Linux
bySecurity Session
 
ODP
SoHo Honeypot (LUGS)
byMichael Boman
 
PPTX
Telehack: May the Command Line Live Forever
byGregory Hanis
 
Security Onion - Introduction
byn|u - The Open Security Community
 
Security Onion: peeling back the layers of your network in minutes
bybsidesaugusta
 
Database Firewall with Snort
byNarudom Roongsiriwong, CISSP
 
Backtrack os 5
byAyush Goyal
 
Backtrack
byn|u - The Open Security Community
 
Backtrack
byOne97 Communications Limited
 
BackTrack5 - Linux
bymariuszantal
 
Nessus v6 command_line_reference
byCraig Cannon
 
Defensive information warfare on open platforms
byBen Tullis
 
Suricata: A Decade Under the Influence (of packet sniffing)
byJason Williams
 
Introduction To Linux Security
byMichael Boman
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
byAPNIC
 
Security tools
byGreater Noida Institute Of Technology
 
Linux Security
bynayakslideshare
 
Présentation et démo ELK/SIEM/Wazuh
byclevernetsystemsgeneva
 
Acid
byMichael Boman
 
Hacker bootcamp
byGregory Hanis
 
Hardening Linux and introducing Securix Linux
bySecurity Session
 
SoHo Honeypot (LUGS)
byMichael Boman
 
Telehack: May the Command Line Live Forever
byGregory Hanis
 

Viewers also liked

PPTX
Security Operation Center - Design & Build
bySameer Paradia
 
PPTX
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
PPTX
2014 Security Onion Conference
byDefensiveDepth
 
PDF
RSA Anatomy of an Attack
byintegritysolutions
 
PDF
Blackhat Workshop
bywremes
 
PDF
Workshop ssh (OSSEC)
byAkram Rekik
 
PDF
Windows Firewall & Its Configuration
bySoban Ahmad
 
PPTX
Securing Hadoop with OSSEC
byVic Hargrave
 
PPTX
Ossec – host based intrusion detection system
byHai Dinh Tuan
 
PPTX
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
byClaus Cramon Houmann
 
PPTX
IDS+Honeypots Making Security Simple
byGregory Hanis
 
PDF
Security Onion
byn|u - The Open Security Community
 
PPTX
Managing Your Security Logs with Elasticsearch
byVic Hargrave
 
PDF
Aws security with HIDS, OSSEC
byMayank Gaikwad
 
PDF
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
PPTX
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
PDF
DEF CON 23 - NSM 101 for ICS
byChris Sistrunk
 
PPTX
Malware Detection with OSSEC HIDS - OSSECCON 2014
bySantiago Bassett
 
PPTX
Advanced OSSEC Training: Integration Strategies for Open Source Security
byAlienVault
 
PPTX
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
bySantiago Bassett
 
Security Operation Center - Design & Build
bySameer Paradia
 
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
2014 Security Onion Conference
byDefensiveDepth
 
RSA Anatomy of an Attack
byintegritysolutions
 
Blackhat Workshop
bywremes
 
Workshop ssh (OSSEC)
byAkram Rekik
 
Windows Firewall & Its Configuration
bySoban Ahmad
 
Securing Hadoop with OSSEC
byVic Hargrave
 
Ossec – host based intrusion detection system
byHai Dinh Tuan
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
byClaus Cramon Houmann
 
IDS+Honeypots Making Security Simple
byGregory Hanis
 
Security Onion
byn|u - The Open Security Community
 
Managing Your Security Logs with Elasticsearch
byVic Hargrave
 
Aws security with HIDS, OSSEC
byMayank Gaikwad
 
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
DEF CON 23 - NSM 101 for ICS
byChris Sistrunk
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
bySantiago Bassett
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
byAlienVault
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
bySantiago Bassett
 

Similar to Security Onion Conference - 2015

PPTX
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
PPTX
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
PPT
Intrusion Discovery on Windows
bydkaya
 
PDF
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
PDF
Olha Pasko - Hunting fileless malware [workshop]
byNoNameCon
 
PDF
Hunting fileless malware
byOlha Pasko
 
PDF
Malware hunting with the sysinternals tools
byAli Asad Sahu
 
PPTX
Living off the land and fileless attack techniques
bySymantec Security Response
 
PDF
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
PDF
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
byMITRE - ATT&CKcon
 
PPTX
Windows Live Forensics 101
byArpan Raval
 
PPTX
An Introduction to Sysinternals
byRiyaz Walikar
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
byEPAM Systems
 
PPTX
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
PDF
Sysinternals utilities : a brief introduction to
byAkshay koshti
 
PPT
Anton Chuvakin on Discovering That Your Linux Box is Hacked
byAnton Chuvakin
 
PPTX
Splunk for Security Workshop
bySplunk
 
PPTX
Hands-On Security Breakout Session- Disrupting the Kill Chain
bySplunk
 
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
Intrusion Discovery on Windows
bydkaya
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
Olha Pasko - Hunting fileless malware [workshop]
byNoNameCon
 
Hunting fileless malware
byOlha Pasko
 
Malware hunting with the sysinternals tools
byAli Asad Sahu
 
Living off the land and fileless attack techniques
bySymantec Security Response
 
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
byMITRE - ATT&CKcon
 
Windows Live Forensics 101
byArpan Raval
 
An Introduction to Sysinternals
byRiyaz Walikar
 
Threat Hunting with Splunk
bySplunk
 
Threat Hunting with Splunk
bySplunk
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
byEPAM Systems
 
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
Sysinternals utilities : a brief introduction to
byAkshay koshti
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
byAnton Chuvakin
 
Splunk for Security Workshop
bySplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
bySplunk
 

Recently uploaded

PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
PDF
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Agentic AI Roadmap 2026: Mastering Autonomous AI Workflows and Systems
byAeafat Ahmed Mubin
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 

Security Onion Conference - 2015