Learning Sysmon - Tracking When Drivers Are Loaded (Video 9)

In this video, Research Team Lead Carlos Perez provides methods and recommendations for setting up a baseline in order to get the best value from this event type. He also demonstrates the collection using drivers that are currently being leveraged by an attacker. Windows Driver Block List: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules Sysmon Modular: https://github.com/olafhartong/sysmon-modular Sysmon Community Guide: https://github.com/trustedsec/SysmonCommunityGuide Olaf Sysmon Modular video https://www.youtube.com/watch?v=Cx_zrM8Hu7Y PSGumshoe PowerShell Module https://www.powershellgallery.com/packages/PSGumshoe/ Sysmon Visual Studio Code Extension https://marketplace.visualstudio.com/items?itemName=DarkOperator.sysmon 00:00:00 Intro 00:01:19 Building a Baseline 00:01:35 Baseline Configuration Demo 00:04:13 Creating a Rule Set from baseline 00:07:05 Testing with Mimikatz 00:08:28 Test Revoked Driver 00:09:42 WDAC Driver Block Rules 00:10:24 Testing with Vulnerable Driver 00:11:40 Summary