For those who attended my TechUG presentation – thank you. Below you will find links to the presentation along with reference documents and URLs that will assist in further reading. If you did not attend please be mindful the slides were talking points and additional aspects were discussed and of course this material does not include the live demos of various tools.
My presentation
Sysinternals Download Links
Troubleshooting with the Windows Sysinternals Tools Book (Second Edition October 2016)
Process Explorer (ProcExp) – Digitally Signed Malware References
- Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI
- Issued for Abuse: Measuring the Underground Trade in Code Signing Certificate
- https://www.theregister.co.uk/2018/03/12/susicious_digital_cetificate_sales
Sysmon
Base Template (SwiftonSecurity)
Mark Russinovich Sysmon Presentation
Useful Sysmon Posts
- https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/
- https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/
- https://cqureacademy.com/blog/server-monitoring/sysmonhttps://cqureacademy.com/blog/server-monitoring/sysmon-configuration-file
Windows Event Forwarding
- https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/
- https://channel9.msdn.com/Events/Ignite/Australia-2015/INF327
- https://docs.microsoft.com/en-gb/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
- https://social.technet.microsoft.com/wiki/contents/articles/33895.windows-event-forwarding.aspx