Testlab
Endpoint Detection and Response tools
Windows core
Introduction
What?
Why?
How?
smss.exe
Normal
Unusual
Resources
csrss.exe
Normal
Unusual
Resources
wininit.exe
Normal
Unusual
services.exe
Normal
Unusual
Resources
svchost.exe
Normal
Unusual
Resources
lsass.exe
Normal
Unusual
Resources
winlogon.exe
Normal
Unusual
Resources
explorer.exe
Normal
Unusual
Windows sysinternals
Introduction
What?
Why?
How?
File and disk utilities
Sigcheck
Streams
Question
SDelete
Networking utilities
TCPView
Question
Process utilities
Autoruns
Questions
ProcDump
Process Explorer
Process Monitor
PsExec
Security utilities
Sysmon
System information
WinObj
Miscellaneous
BgInfo
RegJump
Strings
Question
Windows event logs
Introduction
What?
Why?
How?
Event logs
Elements
Using the GUI method
Using Wevtutil.exe
Using Get-WinEvent
Resources
XPath queries
Resources
Scenarios
Scenario 1
Scenario 2
Scenario 3
Scenario 4
Resources
Sysmon
Introduction
What?
Why?
How?
Event IDs
Event ID 1: Process Creation
Event ID 3: Network Connection
Event ID 7: Image Loaded
Event ID 8: CreateRemoteThread
Event ID 11: File Created
Event ID 12/13/14: Registry Event
Event ID 15: FileCreateStreamHash
Event ID 22: DNS Event
Starting Sysmon
Resources
Cutting out the noise
Best Practices
Filtering events with Event Viewer
Filtering events with PowerShell
Questions
Hunting metasploit
Network Connections config
Metasploit payload dropped
Hunting for Open Ports with PowerShell
Resources
Detecting mimikatz
Mimikatz file creation config
Abnormal LSASS behaviour config
Obfuscated version of mimikatz dumping credentials
Detecting LSASS Behavior with PowerShell
Resources
Hunting malware
Rats and C2 Servers config
RAT being dropped on server
Hunting for common back connect ports with PowerShell
Resources
Hunting persistence
Startup persistence config
Malicious EXE into the Startup folder
Registry Key Persistence config
Modified registry
Resources
Detecting evasion techniques
Alternate Data Streams config
Files hiding in ADS
Remote Threads config
Process hollowing notepad.exe
Detecting evasion techniques with PowerShell
Resources
Practical investigations
ugh, BILL THAT’S THE WRONG USB!
Questions
This isn’t an HTML file?
Questions
Where’s the bouncer when you need him
Questions
Mom look! I built a botnet!
Questions
Osquery basics
Introduction
What?
Why?
How?
Osquery shell
Schemas
Display Mode
Resources
Schema documentation
Resources
Creating queries
Exploring installed programs
Count
WHERE clause
Matching wildcard rules
Joining tables
Example use
Endpoint detection and response (EDR)
Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact
Index