(wow, has it really been more than 3 years!?)
So I finally decided to write another post about some stuff that happened in the meantime...
For the past few years I have been more active on Twitter (@c_APT_ure) and also presenting at conferences and collaborating in closed / trusted groups.
My most recent area of interest has been increasing endpoint visibility using Sysinternals Sysmon and sending logs into Splunk for incident detection and threat hunting.
My first presentation was a year ago at BotConf 2016:
"Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)"
This year I gave an updated version on the same topic at the FIRST annual conference.
There are many good resources for further reading that I can suggest.
- Sysmon - DFIR (Mike Haag / @MHaggis)
- ThreatHunter-Playbook (Roberto Rodriguez / @Cyb3rWard0g)
- SIGMA rules for Sysmon (Florian Roth / @cyb3rops)
- Operational Look at Sysinternals Sysmon 6.20 Update
- Technet Blog: Sysinternals Sysmon suspicious activity guide
The list of resources may get updated every so often...
(last updated: 2017-12-07)