(wow, has it really been more than 3 years!?)
So I finally decided to write another post about some stuff that happened in the meantime...
For the past few years I have been more active on Twitter (@c_APT_ure) and also presenting at conferences and collaborating in closed / trusted groups.
My most recent area of interest has been increasing endpoint visibility using Sysinternals Sysmon and sending logs into Splunk for incident detection and threat hunting.
My first presentation was in December 2016 at BotConf:
"Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)"
Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR12-Sysmon-UELTSCHI.pdf
Video: https://www.youtube.com/watch?v=vv_VXntQTpE
In 2017 I gave an updated version on the same topic at the FIRST annual conference.
Slides: https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
In April 2018 at FIRST TC Amsterdam, I gave an updated version from the FIRST 2017 talk.
Slides: FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf (Github / raw | D/L)
At BotConf 2018, I presented again on using Sysmon and Splunk, but also including Powershell Logging and MITRE ATT&CK as well.
"Hunting and Detecting APTs using Sysmon and PowerShell Logging"
Slides: 2018-Tom-Ueltschi-Sysmon.pdf
Video: (was recorded and will be published soon)
CERT-EU annual conf 2019 presentation about "Practical Threat Hunting"
Slides: [github / raw | D/L]
BotConf 2019
"DESKTOP-Group" – Tracking a Persistent Threat Group (using Email Headers)
Slides should be published soon.
(Tweet)For anything related to "DESKTOP-Group", please see my later post:
http://c-apt-ure.blogspot.com/2022/01/who-is-desktop-group.html
Most presentation slides should also be available on my Github page.
There are many good resources for further reading that I can suggest.
The list of resources may get updated every so often...
(last updated: 2022-01-26)
Most presentation slides should also be available on my Github page.
There are many good resources for further reading that I can suggest.
- Sysmon - DFIR (Mike Haag / @MHaggis)
- ThreatHunter-Playbook (Roberto Rodriguez / @Cyb3rWard0g)
- SIGMA rules for Sysmon (Florian Roth / @cyb3rops)
- Operational Look at Sysinternals Sysmon 6.20 Update
- Technet Blog: Sysinternals Sysmon suspicious activity guide
The list of resources may get updated every so often...
(last updated: 2022-01-26)