WEBVTT 0:00:04.860000 --> 0:00:07.320000 Sysmon Essentials for Incident Responders. 0:00:07.320000 --> 0:00:11.320000 So in this video, we're going to be getting an introduction to Sysmon, 0:00:11.320000 --> 0:00:14.140000 what it is, what it's used for, how it works. 0:00:14.140000 --> 0:00:20.340000 And then we'll take a look at a practical example of how to deploy Sysmon. 0:00:20.340000 --> 0:00:24.260000 And we'll see it in action in terms of the information it provides us. 0:00:24.260000 --> 0:00:28.840000 So, or the enhanced or enriched information it provides us about what's 0:00:28.840000 --> 0:00:30.860000 going on in a system. 0:00:30.860000 --> 0:00:32.300000 So what is Sysmon? 0:00:32.300000 --> 0:00:33.560000 That's the big question, right? 0:00:33.560000 --> 0:00:38.200000 So Sysmon, which is a short for system monitor, is a free lightweight 0:00:38.200000 --> 0:00:41.480000 tool from the Microsoft Sys internal suite of tools. 0:00:41.480000 --> 0:00:45.900000 So you're probably, if you've worked with Windows for a while, you probably 0:00:45.900000 --> 0:00:48.840000 know what the Sys internal suite of tools is. 0:00:48.840000 --> 0:00:50.420000 Sysmon is part of that, right? 0:00:50.420000 --> 0:00:56.280000 So that's where the name means, and where it comes from. 0:00:56.280000 --> 0:01:02.440000 But what is it? Well, Sysmon is a system monitoring tool that runs in 0:01:02.440000 --> 0:01:05.280000 the background as a Windows service, okay? 0:01:05.280000 --> 0:01:11.000000 And once installed and configured, it logs various system events to the 0:01:11.000000 --> 0:01:17.460000 Windows event log under applications and services logs, Microsoft, Windows, 0:01:17.460000 --> 0:01:19.820000 Sysmon operational, okay? 0:01:19.820000 --> 0:01:21.880000 So how does Sysmon work? 0:01:21.880000 --> 0:01:26.080000 Well, you know, the kernel driver hooks key system calls, think of, you 0:01:26.080000 --> 0:01:30.120000 know, process creation, network connections, file rights, registries, 0:01:30.120000 --> 0:01:33.420000 registries being set or modified, et cetera. 0:01:33.420000 --> 0:01:37.900000 And the user mode service formats, the captured data, calculates the shaft 0:01:37.900000 --> 0:01:42.720000 256 hashes automatically for you, which is great, and appends optional 0:01:42.720000 --> 0:01:45.540000 geolocation or image metadata. 0:01:45.540000 --> 0:01:47.440000 Events are published as numbered records. 0:01:47.440000 --> 0:01:50.940000 So event IDs, these are completely different from the standard Windows 0:01:50.940000 --> 0:01:57.040000 event IDs. So you have event IDs 1, 3, 11 to 26 that can be filtered by 0:01:57.040000 --> 0:01:58.640000 an XML configuration. 0:01:58.640000 --> 0:02:03.660000 So think of, you know, custom Sysmon configuration to either include or 0:02:03.660000 --> 0:02:07.660000 exclude noise. So that's why whenever you, if you have heard or used Sysmon 0:02:07.660000 --> 0:02:10.700000 before, that's why you typically use a configuration file. 0:02:10.700000 --> 0:02:15.940000 And configuration files can be configured to be as, you know, as fine 0:02:15.940000 --> 0:02:20.700000 -tuned as possible or based on your requirements. 0:02:20.700000 --> 0:02:27.040000 So what exactly you want Sysmon to, you know, be logging, and you know, 0:02:27.040000 --> 0:02:30.660000 you can leave it with the defaults, but you can fine-tune it as well. 0:02:30.660000 --> 0:02:36.740000 Now, because Sysmon writes into the standard W Windows event log framework, 0:02:36.740000 --> 0:02:42.920000 the data can be forwarded by WEF, WinLogBeats, PlunkUF, or any CME agent 0:02:42.920000 --> 0:02:46.980000 without extra plumbing, which is, again, why or one of the reasons you'll 0:02:46.980000 --> 0:02:54.020000 see that Sysmon is usually configured or configured to be an, an augmentation 0:02:54.020000 --> 0:02:56.060000 of standard Windows event logging. 0:02:56.060000 --> 0:03:04.040000 And Sysmon event logs are also shipped to a CME or collected by CMEs because, 0:03:04.040000 --> 0:03:10.380000 again, they enhance detection, but also play a very big role in analysis 0:03:10.380000 --> 0:03:13.160000 for obvious reasons. 0:03:13.160000 --> 0:03:16.840000 So Sysmon is widely used for security monitoring, so, you know, providing 0:03:16.840000 --> 0:03:20.900000 high fidelity to limited tree that seems and EDRs often rely on. 0:03:20.900000 --> 0:03:24.260000 It's used for threat hunting, so investigators can trace malware behavior 0:03:24.260000 --> 0:03:29.180000 through process trees, network activity and registry changes for incident 0:03:29.180000 --> 0:03:32.900000 response. So it helps reconstruct the timeline of an attack showing what 0:03:32.900000 --> 0:03:39.480000 was executed when and by whom behavioral analysis, so it assists in identifying 0:03:39.480000 --> 0:03:45.180000 anomalous patterns indicative of compromise and for forensic investigation. 0:03:45.180000 --> 0:03:48.500000 So it preserves detailed logs that may reveal indicators of compromise 0:03:48.500000 --> 0:03:51.580000 long after the initial event. 0:03:51.580000 --> 0:03:55.900000 So why is Sysmon valuable to incident responders A for visibility? 0:03:55.900000 --> 0:03:59.940000 So it gives responders insight into low-level operating system behavior 0:03:59.940000 --> 0:04:02.380000 without requiring kernel debugging. 0:04:02.380000 --> 0:04:07.160000 B, correlating data, so linking processes, network activity and registry 0:04:07.160000 --> 0:04:11.660000 modifications allows for narrative reconstruction of attacks. 0:04:11.660000 --> 0:04:17.080000 3, or C, it's lightweight and customizable, so extremely low resource 0:04:17.080000 --> 0:04:21.820000 footprint with customizable configs to minimize noise, and it runs as 0:04:21.820000 --> 0:04:24.100000 a Windows service, which is great. 0:04:24.100000 --> 0:04:27.820000 You know, you also have persistent logs, so even if an attacker clears 0:04:27.820000 --> 0:04:31.940000 standard logs, if Sysmon logs are forwarded to a SEAM, evidence is still 0:04:31.940000 --> 0:04:35.480000 going to be preserved, and then detection of advanced threats. 0:04:35.480000 --> 0:04:40.320000 So Sysmon can catch subtle indicators like PowerShell usage, unusual parent 0:04:40.320000 --> 0:04:44.140000 -child relationships or lateral movement attempts. 0:04:44.140000 --> 0:04:46.980000 So what are these key event IDs that you need to know? 0:04:46.980000 --> 0:04:50.480000 Key, Sysmon event IDs that you need to know. 0:04:50.480000 --> 0:04:56.780000 So you have Sysmon event ID1, which is, you know, process creation, the 0:04:56.780000 --> 0:05:04.240000 typical IOC value that you'll find within event IDs within Sysmon event 0:05:04.240000 --> 0:05:09.180000 ID1 would be the image path, command line arguments, the parent hash. 0:05:09.180000 --> 0:05:13.480000 You then have 3, which is network connection, so think of source or destination 0:05:13.480000 --> 0:05:18.280000 IPs and port, and then the process duid. 0:05:18.280000 --> 0:05:23.340000 You have 11, which is for file creation, so the target file name hash, 0:05:23.340000 --> 0:05:28.600000 etc. And then 13, which is the registry value set, which used to track 0:05:28.600000 --> 0:05:32.920000 that. And then the typical IOC values will be the key path, and then the 0:05:32.920000 --> 0:05:34.800000 new data that was added. 0:05:34.800000 --> 0:05:37.940000 22 is for DNS queries, so query name. 0:05:37.940000 --> 0:05:43.200000 The typical IOC value would be the query name, the PID process ID. 0:05:43.200000 --> 0:05:48.100000 And then 23 and 24 would be file deletion and clipboard entries. 0:05:48.100000 --> 0:05:52.040000 So this, you know, the typical IOC value here would be signs of data staging 0:05:52.040000 --> 0:05:53.640000 or exfiltration. 0:05:53.640000 --> 0:05:56.580000 You know, so quite simple. 0:05:56.580000 --> 0:06:00.140000 And I've not outlined all of the Sysmon event IDs, but these are the ones 0:06:00.140000 --> 0:06:01.540000 that you need to know. 0:06:01.540000 --> 0:06:06.540000 Okay, so with that being said, we're now going to be taking a look or 0:06:06.540000 --> 0:06:09.360000 going through a practical demo on how to deploy Sysmon. 0:06:09.360000 --> 0:06:13.100000 And after we've deployed it, we're going to test it to see exactly how 0:06:13.100000 --> 0:06:16.020000 much information it gives us, or how it differs from standard Windows 0:06:16.020000 --> 0:06:19.960000 event logs, and, you know, specific to instant response. 0:06:19.960000 --> 0:06:22.620000 So this video has a lab associated with it. 0:06:22.620000 --> 0:06:25.640000 It's going to be the lab just beneath or below this video. 0:06:25.640000 --> 0:06:29.020000 And it's called, you know, deploying Sysmon. 0:06:29.020000 --> 0:06:32.820000 And when you start up the lab, you'll be provided with access to a Windows 0:06:32.820000 --> 0:06:37.400000 system. And it has all the tools ready to go, but we'll be following through 0:06:37.400000 --> 0:06:38.720000 the setup process. 0:06:38.720000 --> 0:06:42.760000 So I'm going to start up my lab, and I'll see you there in a couple of 0:06:42.760000 --> 0:06:49.500000 seconds. All right. 0:06:49.500000 --> 0:06:52.720000 Next up, you're going to see a folder called deploying Sysmon. 0:06:52.720000 --> 0:06:56.180000 In here, you're going to see quite a few tools that may seem new to you. 0:06:56.180000 --> 0:06:59.660000 But for now, let's focus on Sysmon.zip. 0:06:59.660000 --> 0:07:04.220000 Okay. So I've already downloaded it for you here on the lab from the official 0:07:04.220000 --> 0:07:06.840000 Microsoft Sys internals website. 0:07:06.840000 --> 0:07:11.280000 And generally speaking, all we need to do is extract it. 0:07:11.280000 --> 0:07:13.920000 And in here, you're going to have the binaries. 0:07:13.920000 --> 0:07:19.540000 So you have, you know, different binaries or executables for, you know, 0:07:19.540000 --> 0:07:24.560000 32-bit systems, 64-bit systems, as well as ARM-based devices operating 0:07:24.560000 --> 0:07:30.000000 systems. Now, in order for Sysmon to work or to work correctly, as it 0:07:30.000000 --> 0:07:34.500000 were, you'll typically see that it's set up with a configuration file, 0:07:34.500000 --> 0:07:39.760000 which is why I've also downloaded for you here a configuration file. 0:07:39.760000 --> 0:07:42.200000 So the zip is Sysmon config master. 0:07:42.200000 --> 0:07:48.960000 And in here, you're going to have the, it's just called Sysmonconfig export 0:07:48.960000 --> 0:07:57.820000 .xml, right? So you have the ability to create your own config file if 0:07:57.820000 --> 0:08:03.720000 you want. This one specifically is, this is the config file from the Swift 0:08:03.720000 --> 0:08:09.380000 on Security GitHub repo, which I can, you know, I can walk you through 0:08:09.380000 --> 0:08:14.460000 it, but you can actually just open it up with a tool like WordPad here. 0:08:14.460000 --> 0:08:20.700000 It's XML. And you can see right over here, just a second. 0:08:20.700000 --> 0:08:24.220000 There's the initial notes and documentation. 0:08:24.220000 --> 0:08:29.760000 So you can go through what it does in terms of the key things that it 0:08:29.760000 --> 0:08:34.000000 monitors. So firstly here, you can see Sysmon event ID, which is Sysmon 0:08:34.000000 --> 0:08:37.740000 event ID1, which is for process creation. 0:08:37.740000 --> 0:08:41.620000 You can see that right over here, all processes launched will be logged, 0:08:41.620000 --> 0:08:44.060000 except for what matches the rule below. 0:08:44.060000 --> 0:08:47.920000 And then you can take a look at the rule below right over here. 0:08:47.920000 --> 0:08:51.240000 So you can see data, this is what is logged. 0:08:51.240000 --> 0:08:57.080000 So UTC time process UID, it pretty much lays out what is going to be logged 0:08:57.080000 --> 0:08:59.260000 and the data included. 0:08:59.260000 --> 0:09:03.020000 So you can use, you know, pre-built configuration files like this when 0:09:03.020000 --> 0:09:04.180000 setting up Sysmon. 0:09:04.180000 --> 0:09:10.560000 In any case, what you want to do is copy this configuration file into 0:09:10.560000 --> 0:09:12.060000 the Sysmon folder. 0:09:12.060000 --> 0:09:15.080000 We just extracted this makes it much easier. 0:09:15.080000 --> 0:09:17.060000 I'm going to paste it in there. 0:09:17.060000 --> 0:09:22.580000 And now what we want to do to set up or install Sysmon with the configuration 0:09:22.580000 --> 0:09:25.700000 file is just open up a PowerShell window in here. 0:09:25.700000 --> 0:09:29.240000 And I'm just going to make the font a little bit bigger. 0:09:29.240000 --> 0:09:31.720000 So there we go. We'll say font. 0:09:31.720000 --> 0:09:38.200000 Very nice. And now what we will do is we will say Sysmon will install 0:09:38.200000 --> 0:09:39.960000 the 64-bit version. 0:09:39.960000 --> 0:09:42.260000 So Sysmon64.exe. 0:09:42.260000 --> 0:09:48.420000 And we can just say accept the EULA, accept EULA. 0:09:48.420000 --> 0:09:53.060000 And we then say I for the config file and then the config file, which 0:09:53.060000 --> 0:09:54.920000 we copied over Sysmon. 0:09:54.920000 --> 0:10:00.120000 Sysmon config export.xml. 0:10:00.120000 --> 0:10:02.820000 And we just hit enter. 0:10:02.820000 --> 0:10:06.940000 Like so, that's going to set up Sysmon for us. 0:10:06.940000 --> 0:10:07.860000 So there we are. 0:10:07.860000 --> 0:10:12.940000 And now you can query the service to see if it's running by saying SC 0:10:12.940000 --> 0:10:17.040000 query. And I believe it's just Sysmon. 0:10:17.040000 --> 0:10:21.080000 Hold on Sysmon64. 0:10:21.080000 --> 0:10:22.660000 And that's not bringing anything up. 0:10:22.660000 --> 0:10:26.900000 We can always query it using the services.msc tool. 0:10:26.900000 --> 0:10:28.560000 Not server manager. 0:10:28.560000 --> 0:10:30.640000 My bad. So services. 0:10:30.640000 --> 0:10:34.500000 There we are. Let me just bring this up here real quick. 0:10:34.500000 --> 0:10:37.220000 And we want to look for Sysmon. 0:10:37.220000 --> 0:10:39.400000 So there we are. 0:10:39.400000 --> 0:10:42.120000 Sysmon64. Yeah, it's running. 0:10:42.120000 --> 0:10:44.940000 Great. So that's good to go now. 0:10:44.940000 --> 0:10:47.500000 Let me get rid of server manager. 0:10:47.500000 --> 0:10:51.840000 And let me just see whether my, I was making a mistake here, given that 0:10:51.840000 --> 0:10:53.760000 it's uppercase S. 0:10:53.760000 --> 0:10:55.960000 Still nothing in any case. 0:10:55.960000 --> 0:10:58.000000 I'll just minimize this. 0:10:58.000000 --> 0:11:04.820000 And now if we go into the event viewer, we can find the Sysmon logs if 0:11:04.820000 --> 0:11:09.980000 you remember. We've confirmed that the service is running, but to see 0:11:09.980000 --> 0:11:17.700000 or to sort of verify whether logs are working or whether it's working, 0:11:17.700000 --> 0:11:20.160000 we can go to applications and services. 0:11:20.160000 --> 0:11:22.300000 Log is outlined in the slides. 0:11:22.300000 --> 0:11:26.860000 Microsoft under Windows, you're going to see a folder here called Sysmon. 0:11:26.860000 --> 0:11:32.460000 So we want to go into the S or the S's right over here. 0:11:32.460000 --> 0:11:35.280000 Huh, let's see interesting. 0:11:35.280000 --> 0:11:36.680000 Oh, there we are. 0:11:36.680000 --> 0:11:39.060000 Sysmon and operational. 0:11:39.060000 --> 0:11:44.360000 And in here, you'll now you have your Sysmon event logs right over here. 0:11:44.360000 --> 0:11:46.480000 So you have the event ID. 0:11:46.480000 --> 0:11:48.740000 So this is Sysmon specific. 0:11:48.740000 --> 0:11:50.680000 So these all process creations. 0:11:50.680000 --> 0:11:54.160000 And then as I mentioned in the slides, you have file creation right over 0:11:54.160000 --> 0:12:00.160000 here. So for example, now to run a couple of experiments, if we open up 0:12:00.160000 --> 0:12:05.760000 something like Notepad, let's see whether this will actually trigger based 0:12:05.760000 --> 0:12:08.740000 on the configuration that I used. 0:12:08.740000 --> 0:12:10.600000 So there we are. 0:12:10.600000 --> 0:12:14.780000 You can see Notepad is now being execution of all processes is now being 0:12:14.780000 --> 0:12:17.740000 tracked, which is something that you may find useful. 0:12:17.740000 --> 0:12:22.740000 If you view the details, the raw XML format or this one here, the friendly 0:12:22.740000 --> 0:12:28.360000 view, you can also see with the rule set that or the configuration that 0:12:28.360000 --> 0:12:33.360000 I downloaded here or that we're using for Sysmon. 0:12:33.360000 --> 0:12:36.380000 I believe there should be. 0:12:36.380000 --> 0:12:42.920000 Hmm. No, actually this one does not have the MITOT-AT-TTP correlation. 0:12:42.920000 --> 0:12:48.040000 But in any case, you have specifics there. 0:12:48.040000 --> 0:12:51.440000 Let's see if we tracks network connectivity. 0:12:51.440000 --> 0:12:53.120000 So we'll just run a quick ping. 0:12:53.120000 --> 0:13:02.200000 So ping 8888, the lab should be offline, but let's just hit enter over 0:13:02.200000 --> 0:13:05.960000 here. I'm just going to see where they tracks this here. 0:13:05.960000 --> 0:13:12.660000 So we'll say, let me refresh that. 0:13:12.660000 --> 0:13:15.740000 Let's go into the general view here. 0:13:15.740000 --> 0:13:16.700000 There we are, ping. 0:13:16.700000 --> 0:13:19.220000 So that's being tracked there. 0:13:19.220000 --> 0:13:23.620000 Yeah, we can see this right over here. 0:13:23.620000 --> 0:13:27.140000 So that's process creation and then event ID8. 0:13:27.140000 --> 0:13:31.820000 If we view the details here, there we are. 0:13:31.820000 --> 0:13:33.940000 Yeah, you can see that here. 0:13:33.940000 --> 0:13:37.160000 We have the target image, great. 0:13:37.160000 --> 0:13:46.760000 And then of course, for partial logging, let us, in this case, if we wanted 0:13:46.760000 --> 0:13:50.720000 to correlate, if so, if I run it as administrator here, and we say, who 0:13:50.720000 --> 0:13:55.060000 am I? And then who am I, Priv? 0:13:55.060000 --> 0:14:02.020000 Stuff that we would want to see, either in the SEAM or just through manual 0:14:02.020000 --> 0:14:04.660000 analysis on the host. 0:14:04.660000 --> 0:14:09.480000 Right over here, you can see that this should just be tracked as event 0:14:09.480000 --> 0:14:12.880000 ID1. Let's refresh this. 0:14:12.880000 --> 0:14:16.960000 Indeed, it is. So you can see who am I right over here? 0:14:16.960000 --> 0:14:19.420000 Who am I, Priv? That's all being tracked. 0:14:19.420000 --> 0:14:24.800000 But then you can perform correlation with PowerShell logging. 0:14:24.800000 --> 0:14:32.300000 So if we go into the PowerShell right over here and operational, we should 0:14:32.300000 --> 0:14:35.680000 see the 4104, I believe. 0:14:35.680000 --> 0:14:36.600000 Yeah, there we are. 0:14:36.600000 --> 0:14:39.100000 Fantastic. Wait, hold on. 0:14:39.100000 --> 0:14:40.420000 What's being executed here? 0:14:40.420000 --> 0:14:43.460000 Let's go into general. 0:14:43.460000 --> 0:14:49.240000 Let's see. Is that what we were doing here? 0:14:49.240000 --> 0:14:55.800000 So invocation therefore 104 execute remote command. 0:14:55.800000 --> 0:15:01.180000 Let's see, hold on a second. 0:15:01.180000 --> 0:15:03.960000 Let me refresh this. 0:15:03.960000 --> 0:15:13.860000 I mean, to admin here. 0:15:13.860000 --> 0:15:16.820000 Okay, just a second. 0:15:16.820000 --> 0:15:19.180000 Yeah, we haven't executed any scripts. 0:15:19.180000 --> 0:15:22.860000 I forgot that, but we'll probably be able to track this shortly. 0:15:22.860000 --> 0:15:25.540000 So we've proven that it works. 0:15:25.540000 --> 0:15:28.480000 Now, of course, you can always compare it to the standard one. 0:15:28.480000 --> 0:15:34.080000 So if we go into Windows logs here and, you know, system right over here. 0:15:34.080000 --> 0:15:39.100000 So if we go into Windows logs here, actually, notification desktop window 0:15:39.100000 --> 0:15:42.500000 manager, you can see by default you're not getting anything useful. 0:15:42.500000 --> 0:15:44.800000 So this is one of the advantages of Sysmon. 0:15:44.800000 --> 0:15:52.080000 Now within the tools, the deploying Sysmon folder here, I also set up 0:15:52.080000 --> 0:15:59.040000 or downloaded the atomic red team folder for you, where you can sort of 0:15:59.040000 --> 0:16:07.820000 emulate attacks or try and execute various you know, specifically TTP 0:16:07.820000 --> 0:16:15.640000 IDs and you know, different procedures and see what they look like in 0:16:15.640000 --> 0:16:19.580000 terms of the Sysmon logs, which can be quite interesting. 0:16:19.580000 --> 0:16:27.900000 So if we go ahead and what I will do is let's just extract this folder 0:16:27.900000 --> 0:16:31.200000 here. So I will extract it. 0:16:31.200000 --> 0:16:34.300000 Yeah, let's just extract it here. 0:16:34.300000 --> 0:16:37.380000 Okay, so we'll extract that here. 0:16:37.380000 --> 0:16:40.980000 If you're not familiar with what atomic red team is, it's a project that 0:16:40.980000 --> 0:16:43.600000 allows for attack emulation. 0:16:43.600000 --> 0:16:47.000000 So you can pretty much emulate various types of attacks mapped to the 0:16:47.000000 --> 0:16:53.100000 MITRE attack framework you know, for detection engineering, threat hunting, 0:16:53.100000 --> 0:17:03.800000 etc. So I will just rename this to atomic red team. 0:17:03.800000 --> 0:17:08.380000 Atomic red team and I'm going to cut this and I'm going to paste it in 0:17:08.380000 --> 0:17:10.380000 the root of the seed drive. 0:17:10.380000 --> 0:17:12.380000 Okay, so there we go. 0:17:12.380000 --> 0:17:25.460000 Paste that in there. 0:17:25.460000 --> 0:17:29.160000 And did I already have it in there? 0:17:29.160000 --> 0:17:31.520000 That's weird. Let me see. 0:17:31.520000 --> 0:17:33.080000 I did. Okay, great. 0:17:33.080000 --> 0:17:36.340000 So in here, yeah, we have invoke atomic red team. 0:17:36.340000 --> 0:17:38.560000 So this lab should already have it set up for you. 0:17:38.560000 --> 0:17:44.120000 So I'm going to get a partial window in here and we're going to say install 0:17:44.120000 --> 0:17:49.000000 module. I believe I've set this up, but you know, all is good to confirm 0:17:49.000000 --> 0:18:00.420000 this. So name would be invoke atomic red team and we're going to say force 0:18:00.420000 --> 0:18:03.800000 that should already be installed, I believe. 0:18:03.800000 --> 0:18:12.200000 Okay, then we can say import, import module. 0:18:12.200000 --> 0:18:18.600000 One second, where do we have it in here? 0:18:18.600000 --> 0:18:22.220000 There should be invoke atomic red team. 0:18:22.220000 --> 0:18:24.580000 And then yeah, so we want to import the module. 0:18:24.580000 --> 0:18:32.480000 So import one second. 0:18:32.480000 --> 0:18:35.560000 Let me just see this what we have it. 0:18:35.560000 --> 0:18:46.740000 So it's import module and invoke atomic red team. 0:18:46.740000 --> 0:18:53.980000 And then the script, I believe, is invoke atomic red team, BSD1. 0:18:53.980000 --> 0:18:57.980000 Okay, so now that's done, we can, you know, emulate some might attack 0:18:57.980000 --> 0:18:58.980000 techniques here. 0:18:58.980000 --> 0:19:07.400000 So for example, partial execution, we can then say invoke atomic, sorry, 0:19:07.400000 --> 0:19:11.560000 one second invoke atomic test. 0:19:11.560000 --> 0:19:17.080000 And then the way it works with the atomic atomic red team framework is 0:19:17.080000 --> 0:19:21.180000 the technique would be a might attack technique ID. 0:19:21.180000 --> 0:19:27.240000 So T1059 and then the sub technique ID. 0:19:27.240000 --> 0:19:30.980000 So 001, this is partial execution. 0:19:30.980000 --> 0:19:36.400000 So this will run a harmless partial command to simulate script execution. 0:19:36.400000 --> 0:19:38.420000 And then you specify the procedure. 0:19:38.420000 --> 0:19:43.660000 So in this case, test numbers, we'll just say one here. 0:19:43.660000 --> 0:19:45.100000 So we had enter. 0:19:45.100000 --> 0:19:50.460000 It's going to test invocation of mimicats in this case. 0:19:50.460000 --> 0:19:59.160000 So there we go. Actually be partial unless I'm using older IDs in any 0:19:59.160000 --> 0:20:06.140000 case. We can now go back into Sysmon operational and in here. 0:20:06.140000 --> 0:20:10.400000 Let's see. Just going to refresh this. 0:20:10.400000 --> 0:20:15.220000 Okay, so we have execution of partial. 0:20:15.220000 --> 0:20:19.140000 We can see it pulled something. 0:20:19.140000 --> 0:20:22.200000 And then in here, we can see a partial. 0:20:22.200000 --> 0:20:27.020000 So it looked like it downloaded something from the internet. 0:20:27.020000 --> 0:20:31.060000 Which is exactly what we wanted. 0:20:31.060000 --> 0:20:33.660000 And you can see this right over here. 0:20:33.660000 --> 0:20:38.820000 You can see how amazing Sysmon is because it tells us the target file 0:20:38.820000 --> 0:20:42.740000 name. So it looks like this partial script was stored under app data local 0:20:42.740000 --> 0:20:45.780000 temp to, let's see if it's still there. 0:20:45.780000 --> 0:20:52.520000 I think it might have cleaned it up. 0:20:52.520000 --> 0:20:57.020000 Hold on. That is under administrator app data. 0:20:57.020000 --> 0:20:59.780000 So we need to, oh, my bad. 0:20:59.780000 --> 0:21:02.080000 That is my own Windows system. 0:21:02.080000 --> 0:21:09.020000 Show hidden files and folders. 0:21:09.020000 --> 0:21:11.220000 So just apply that there. 0:21:11.220000 --> 0:21:21.700000 So app data local temp to. 0:21:21.700000 --> 0:21:23.880000 I think it probably cleared it out. 0:21:23.880000 --> 0:21:26.900000 So yeah, because that should be under ps. 0:21:26.900000 --> 0:21:30.700000 Yeah, in any case, you can see that that partial script was logged as 0:21:30.700000 --> 0:21:36.460000 being executed. And this can be very useful as an instant responder. 0:21:36.460000 --> 0:21:40.960000 So the reason I'm showing you this is not so you can set up Sysmon, set 0:21:40.960000 --> 0:21:42.680000 it up and configurate yourself. 0:21:42.680000 --> 0:21:46.420000 But to show you the type of information that you get just from Sysmon, 0:21:46.420000 --> 0:21:53.120000 of course, you can perform correlation with the partial operational logs 0:21:53.120000 --> 0:21:54.200000 right over here. 0:21:54.200000 --> 0:21:58.120000 So you can see execute or hold on a second and always good to keep it 0:21:58.120000 --> 0:22:00.240000 nice and refreshed here. 0:22:00.240000 --> 0:22:05.880000 So let's see what this told us. 0:22:05.880000 --> 0:22:08.640000 Let's see. T-t-t-t-t. 0:22:08.640000 --> 0:22:14.240000 Yeah, this doesn't give us that much information. 0:22:14.240000 --> 0:22:14.720000 So you can see that it's not a good thing. 0:22:14.720000 --> 0:22:17.020000 Execute a remote command. 0:22:17.020000 --> 0:22:19.620000 Yeah, so you can see this makes it much harder. 0:22:19.620000 --> 0:22:27.780000 Now if we go back into Sysmon, you pretty much get to see what is valuable 0:22:27.780000 --> 0:22:30.860000 to you. So we know partial is being executed. 0:22:30.860000 --> 0:22:34.920000 This is, you can see, network connection detected, all the good stuff, 0:22:34.920000 --> 0:22:37.440000 all the stuff that you'd think is useful. 0:22:37.440000 --> 0:22:41.420000 And then of course it caught the execution of the actual atomic right 0:22:41.420000 --> 0:22:46.860000 over there. So that's what I wanted to highlight in this video. 0:22:46.860000 --> 0:22:50.300000 Hopefully you understand Sysmon a little bit better. 0:22:50.300000 --> 0:22:54.060000 We're going to be contextualizing all of this so you don't need to worry. 0:22:54.060000 --> 0:22:56.860000 But with that being said, that brings us to the end of the practical demonstration 0:22:56.860000 --> 0:22:59.400000 section of this video. 0:22:59.400000 --> 0:23:04.160000 All right, so that was how to deploy Sysmon. 0:23:04.160000 --> 0:23:09.460000 And we got a proper introduction to Sysmon, understand how it works, what 0:23:09.460000 --> 0:23:14.680000 it does and the additional information it provides us with regard to enriching 0:23:14.680000 --> 0:23:19.800000 our understanding or Windows event logging as it were. 0:23:19.800000 --> 0:23:23.340000 So with that being said, that's going to be it for this video. 0:23:23.340000 --> 0:23:25.620000 And I will be seeing you in the next video.