(wow, has it really been more than 3 years!?)
So I finally decided to write another post about some stuff that happened in the meantime...
For the past few years I have been more active on Twitter (@c_APT_ure) and also presenting at conferences and collaborating in closed / trusted groups.
My most recent area of interest has been increasing endpoint visibility using Sysinternals Sysmon and sending logs into Splunk for incident detection and threat hunting.
My first presentation was in December 2016 at BotConf:
"Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)"
In 2017 I gave an updated version on the same topic at the FIRST annual conference.
In April 2018 at FIRST TC Amsterdam, I gave an updated version from the FIRST 2017 talk.
Slides: FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf (Github / raw | D/L)
At BotConf 2018, I presented again on using Sysmon and Splunk, but also including Powershell Logging and MITRE ATT&CK as well.
"Hunting and Detecting APTs using Sysmon and PowerShell Logging"
Video: (was recorded and will be published soon)
CERT-EU annual conf 2019 presentation about "Practical Threat Hunting"
Slides: [github / raw | D/L]
"DESKTOP-Group" – Tracking a Persistent Threat Group (using Email Headers)
Slides should be published soon.(Tweet)
Most presentation slides should also be available on my Github page.
There are many good resources for further reading that I can suggest.
- Sysmon - DFIR (Mike Haag / @MHaggis)
- ThreatHunter-Playbook (Roberto Rodriguez / @Cyb3rWard0g)
- SIGMA rules for Sysmon (Florian Roth / @cyb3rops)
- Operational Look at Sysinternals Sysmon 6.20 Update
- Technet Blog: Sysinternals Sysmon suspicious activity guide
The list of resources may get updated every so often...
(last updated: 2017-12-07)