Using New Events in Sysmon v13 to Detect Sophisticated Attacks

Webinar Registration

The famous Mark Russonovich at Microsoft Sysinternals continues to actively update Sysmon. Sysmon goes above and beyond the Windows Security Log in certain areas where deeper telemetry is needed to detect sophisticated attacks. 

Sysmon provides deeper logging on:

  • The code running on your endpoints
  • Network connections
  • Interaction between processes
  • Registry access
  • File system tampering
  • WMIEvent* object activity
  • DNS queries
  • Clipboard

In this webinar I will provide an introduction to Sysmon and then focus in on its latest event IDs. First, we’ll cover Sysmon:

  • Installation
  • Configuration
  • Areas of system activity covered

Then we’ll zero in on new Event IDs added since my last update on Sysmon. These include:

  • 22: DNSEvent (DNS query)
  • 23: FileDelete (A file delete was detected)
  • 24: ClipboardChange (New content in the clipboard)
  • 25: ProcessTampering (Process image change)

We are adding examples of all these events to the Security Log Encyclopedia right now.

You can usually trace any new feature Mark adds to Sysmon to techniques used by the bad guys and I’ll help you see how these new events correspond to specific techniques in MITRE ATT&CK.

Join us for this real training for free session!

 
First Name:   
Last Name:   
Work Email:  
Job Title:  
Organization:  
Employees:  
How long have you been using native Windows Event Collection in production?:
How many Windows servers in your organization? :
How many Windows workstations in your organization?:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources