Logo

Testlab

  • Endpoint Detection and Response tools

Windows core

  • Introduction
    • What?
    • Why?
    • How?
  • smss.exe
    • Normal
    • Unusual
    • Resources
  • csrss.exe
    • Normal
    • Unusual
    • Resources
  • wininit.exe
    • Normal
    • Unusual
  • services.exe
    • Normal
    • Unusual
    • Resources
  • svchost.exe
    • Normal
    • Unusual
    • Resources
  • lsass.exe
    • Normal
    • Unusual
    • Resources
  • winlogon.exe
    • Normal
    • Unusual
    • Resources
  • explorer.exe
    • Normal
    • Unusual

Windows sysinternals

  • Introduction
    • What?
    • Why?
    • How?
  • File and disk utilities
    • Sigcheck
    • Streams
      • Question
    • SDelete
  • Networking utilities
    • TCPView
      • Question
  • Process utilities
    • Autoruns
      • Questions
    • ProcDump
    • Process Explorer
    • Process Monitor
    • PsExec
  • Security utilities
    • Sysmon
  • System information
    • WinObj
  • Miscellaneous
    • BgInfo
    • RegJump
    • Strings
      • Question

Windows event logs

  • Introduction
    • What?
    • Why?
    • How?
  • Event logs
    • Elements
    • Using the GUI method
    • Using Wevtutil.exe
    • Using Get-WinEvent
    • Resources
  • XPath queries
    • Resources
  • Scenarios
    • Scenario 1
    • Scenario 2
    • Scenario 3
    • Scenario 4
    • Resources

Sysmon

  • Introduction
    • What?
    • Why?
    • How?
  • Event IDs
    • Event ID 1: Process Creation
    • Event ID 3: Network Connection
    • Event ID 7: Image Loaded
    • Event ID 8: CreateRemoteThread
    • Event ID 11: File Created
    • Event ID 12/13/14: Registry Event
    • Event ID 15: FileCreateStreamHash
    • Event ID 22: DNS Event
    • Starting Sysmon
    • Resources
  • Cutting out the noise
    • Best Practices
    • Filtering events with Event Viewer
    • Filtering events with PowerShell
      • Questions
  • Hunting metasploit
    • Network Connections config
    • Metasploit payload dropped
    • Hunting for Open Ports with PowerShell
    • Resources
  • Detecting mimikatz
    • Mimikatz file creation config
    • Abnormal LSASS behaviour config
    • Obfuscated version of mimikatz dumping credentials
    • Detecting LSASS Behavior with PowerShell
    • Resources
  • Hunting malware
    • Rats and C2 Servers config
    • RAT being dropped on server
    • Hunting for common back connect ports with PowerShell
    • Resources
  • Hunting persistence
    • Startup persistence config
    • Malicious EXE into the Startup folder
    • Registry Key Persistence config
    • Modified registry
    • Resources
  • Detecting evasion techniques
    • Alternate Data Streams config
    • Files hiding in ADS
    • Remote Threads config
    • Process hollowing notepad.exe
    • Detecting evasion techniques with PowerShell
    • Resources
  • Practical investigations
    • ugh, BILL THAT’S THE WRONG USB!
      • Questions
    • This isn’t an HTML file?
      • Questions
    • Where’s the bouncer when you need him
      • Questions
    • Mom look! I built a botnet!
      • Questions

Osquery basics

  • Introduction
    • What?
    • Why?
    • How?
  • Osquery shell
    • Schemas
    • Display Mode
    • Resources
  • Schema documentation
    • Resources
  • Creating queries
    • Exploring installed programs
    • Count
    • WHERE clause
    • Matching wildcard rules
    • Joining tables
    • Example use
Endpoint detection and response (EDR)
  • Ty Myrddin Home
  • Unseen University
  • Improbability Blog
  • About
  • Contact

Endpoint detection and response (EDR)

Configure and use tooling to detect suspicious activity.

Forever in progress ...

Testlab

  • Endpoint Detection and Response tools

Windows core

  • Introduction
  • smss.exe
  • csrss.exe
  • wininit.exe
  • services.exe
  • svchost.exe
  • lsass.exe
  • winlogon.exe
  • explorer.exe

Windows sysinternals

  • Introduction
  • File and disk utilities
  • Networking utilities
  • Process utilities
  • Security utilities
  • System information
  • Miscellaneous

Windows event logs

  • Introduction
  • Event logs
  • XPath queries
  • Scenarios

Sysmon

  • Introduction
  • Event IDs
  • Cutting out the noise
  • Hunting metasploit
  • Detecting mimikatz
  • Hunting malware
  • Hunting persistence
  • Detecting evasion techniques
  • Practical investigations

Osquery basics

  • Introduction
  • Osquery shell
  • Schema documentation
  • Creating queries
Next
Unseen University, 2024, with a forest garden fostered by /ut7.