Following Breadcrumbs: Tracking Threats with Sysmon

Sysmon can allow you to improve your decision–making by offering you a glimpse into what is happening on a host. From knowing which processes are communicating to remote C2s or tracking where files are being downloaded from, Sysmon applies functionality that would be nearly impossible to gather if job–specific devices were not put into place. Along with a little bit of Threat Hunting, this webinar intends to show how to make the most of the opportunities Sysmon can provide. 

The “Sysmon for the Masses” webinar presentation by Dave Kennedy provides an excellent overview on Sysmon. This webinar will build on some of the principles discussed there.  

In this webinar:

  • Introduction to Sysmon
  • Event Types
  • Use Cases 
    • From initial download to post exploitation 
  • Demos (recording) 
  • Analysis 
    • Relevant event types to look for 
    • Following activity down the line 
  • Tips and Tricks 


About the Presenter

Brandon George & James Quinn

Brandon George is a Senior SOC Analyst for Binary Defense. In his free time, he is often with friends and family, running, or working on research projects. Probably never at the same time though. 

James Quinn is a Threat Researcher and Malware Analyst for Binary Defense. When he is not working at Binary Defense, he works as a freelance malware analyst and participates in security intelligence sharing groups. James is a major contributor to research of the Emotet botnet with the Cryptolaemus security researcher group.