Windows SYSMON | SANS ICS Concepts

Greetings and thank you for joining us for another SANS ICS concept overview. I'm Don C. Weber of Cutaway Security and a Certified SANS Instructor. In this concept overview, we are joined by Aaron Boyd, a Senior Industrial Penetration Tester at Dragos. I reached out to the community to find someone that has implemented Windows SYSMON within an process environment. Aaron stepped up and came through with flying colors. He will introduce us to Windows SYSMON and provide us with practical experience for implementing it in a safe and effective manner. If you enjoy this video, and the topics we cover in the SANS ICS concept overviews, be sure to like and subscribe to this channel. Leave a comment if you have a question about this topic or suggestions for future content. Script by Aaron Boyd and Don C. Weber (@cutaway), Certified SANS Instructor and Cutaway Security, LLC . References: Microsoft Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon Sysmon Config – SwiftOnSecurity: https://github.com/SwiftOnSecurity/sysmon-config Sysmon Config – Lares LLC PrintNightmare Detection: https://github.com/LaresLLC/CVE-2021-1675 SANS ICS Concepts – Windows Logging: https://www.youtube.com/watch?v=KH-xzqF1bY8&t=1484s Gaining Endpoint Log Visibility in ICS Environments: https://www.sans.org/white-papers/38835/ Black Hills Information Security – Sysmon Event ID Breakdown: https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/ Aaron's Social Media: Twitter: https://twitter.com/ics_blitz LinkedIn: https://www.linkedin.com/in/aaron-boyd-2b620531/ Dragos Bio: https://www.dragos.com/team/aaron-boyd/ E-Mail: [email protected] Don's Social Media: Twitter: https://twitter.com/cutaway LinkedIn: https://www.linkedin.com/in/cutaway/ Cutaway Security: https://www.linkedin.com/company/cutaway-security-llc CutSec Twitter: https://twitter.com/cutawaysecurity SANS ICS Training: ICS410: ICS/SCADA Security Essentials - https://www.sans.org/cyber-security-courses/ics-scada-cyber-security-essentials/ ICS456: Essentials for NERC Critical Infrastructure Protection - https://www.sans.org/cyber-security-courses/essentials-for-nerc-critical-infrastructure-protection/ ICS515: ICS Active Defense and Incident Response - https://www.sans.org/cyber-security-courses/industrial-control-system-active-defense-and-incident-response/ ICS612: ICS Cybersecurity In-Depth - https://www.sans.org/cyber-security-courses/ics-cyber-security-in-depth/