Wednesday, December 6, 2017

Is this blog still alive?

Is this blog still alive? That's a valid question since I haven't blogged for quite some time. 
(wow, has it really been more than 3 years!?)
So I finally decided to write another post about some stuff that happened in the meantime...

For the past few years I have been more active on Twitter (@c_APT_ure) and also presenting at conferences and collaborating in closed / trusted groups.

My most recent area of interest has been increasing endpoint visibility using Sysinternals Sysmon and sending logs into Splunk for incident detection and threat hunting.

My first presentation was in December 2016 at BotConf:

"Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)"


In 2017 I gave an updated version on the same topic at the FIRST annual conference.


In April 2018 at FIRST TC Amsterdam, I gave an updated version from the FIRST 2017 talk.

Slides: FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf (Github / raw | D/L)

At BotConf 2018, I presented again on using Sysmon and Splunk, but also including Powershell Logging and MITRE ATT&CK as well.
"Hunting and Detecting APTs using Sysmon and PowerShell Logging"

Slides: 2018-Tom-Ueltschi-Sysmon.pdf
Video: (was recorded and will be published soon)

CERT-EU annual conf 2019 presentation about "Practical Threat Hunting"
Slides: [github / raw | D/L]

BotConf 2019
"DESKTOP-Group" – Tracking a Persistent Threat Group (using Email Headers)
Slides should be published soon.

For anything related to "DESKTOP-Group", please see my later post:

Most presentation slides should also be available on my Github page.
There are many good resources for further reading that I can suggest.

The list of resources may get updated every so often...

(last updated: 2022-01-26)

No comments:

Post a Comment