Learning Sysmon - Detecting abuse via Process Access (Video 10)

In this video, Research Team Lead Carlos Perez demonstrates how to configure Sysmon to monitor instances of one process accessing another process in order to detect and take action against abuse. Windows Driver Block List: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules Sysmon Modular: https://github.com/olafhartong/sysmon-modular Sysmon Community Guide: https://github.com/trustedsec/SysmonCommunityGuide PSGumshoe PowerShell Module https://www.powershellgallery.com/packages/PSGumshoe/ Sysmon Visual Studio Code Extension https://marketplace.visualstudio.com/items?itemName=DarkOperator.sysmon 00:00 Intro 01:56 Building a Baseline 06:06 Event Fields 07:49 Creating an exclude for the baseline 11:55 Interpreting the AccessGranted field 15:17 Conclusion