System Internals System Monitor (Sysmon) seems to be the silver bullet that the cybersecurity community has been waiting for in Windows environments. It is “free”. It allows for an almost forensic view through log analysis. It finally cuts down on the damn amount of log types in Windows!
The reality is exactly what it often is in security: disappointing, fantastic, and complicated.
Sysmon can be bypassed, modified, and even just turned off. However, it looks weird.
Sysmon may be free but the manpower in tuning/analyzing and overhead/building/maintaining the systems to handle those logs can be expensive. There are a lot of “briefs/talks” but there isn’t a lot of hands-on training.
The new-found forensic-like visibility highlights how weird a given environment truly is. However, not everyone in a SOC has a background in Windows OS forensics and can read the tea leaves.
The best way that I and many others can describe analyzing Sysmon logs is like jumping into the middle of the ocean. This training is meant to help someone survive their sanity doing Sysmon analysis. Focused primarily on hunt team personnel and those fighting the good fight in a CERT/SOC.
So grab your rubber ducky and arm floaties.
- SPEAKER Cubed Wombat