Advanced Windows Security Logging with Sysinternals Sysmon 15: Tracking and Blocking PE Executable Files

Webinar Registration

The Windows Security Log has hundreds of events, but newer attacks require new monitoring capabilities. For many years Mark Russinovich and Thomas Garnier have been plugging holes in Windows native security logging by adding new events to the Sysmon utility from Sysinternals. The most recent updates to Sysmon focus on:

monitoring the creation of new or tampering with existing PE (portable executable) files
file deletion and “shredding”

These are 2 areas you just can’t monitor well with the native auditing functionality of Windows. For one thing, the native file auditing doesn’t recognize any difference between file types. In that part of Windows an Office document file is no different than a PE (i.e. EXE or DLL) – they are all just streams of bytes.

Quick note on why I’m using PE instead of EXE. Most PE files have an EXE or DLL extension but that’s really just convention. You can hide executable files with other (or no) file extension. PE refers to the internal structure and format of a file that makes it a loadable EXE or DLL.

But being able to detect when new executables appear on your file system is so important today with the variety of techniques available to attackers. As just one example, an attacker may use a Word macro to download it’s larger malicious agent in the form of a PE which it then sets up to run every time the system reboots. If we can monitor the creation of new PEs – especially by programs like Office that have no business creating them, we can disrupt attacks.

In fact, Sysmon now takes you beyond detection and actually allow you block the creation of PE files based on criteria such as current process name and target directory.

In this real training for free session, we will dive into the latest event IDs generated by Sysmon:

25 - ProcessTampering
26 - FileDeleteDetected
27 - FileBlockExecutable
28 - FileBlockShredding
29 - FileExecutableDetected

And I’ll show you other new features in Sysmon including:

a change from device driver to protected process for added protection against adversaries
beyond passive detection: new active blocking ability in Sysmon

This real training for free event is sponsored by LOGbinder’s Supercharger which allows you to centrally manage native Windows Event Collection as a SIEM independent logging pipeline without the burden of agents.

This will be a technical, real training for free session so don’t miss it! Register now!

Required

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Job Title:	Required
Organization:	Required
How long have you been using native Windows Event Collection in production?:	RequiredRequired
How many Windows servers in your organization? :	RequiredRequired
How many Windows workstations in your organization?:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.