Go Evtx SigNature Engine

This article introduces an engine (a.k.a Gene) we have designed to match signatures in Windows events. Our motivations were driven by some observations done during several incident we have worked on. The first observation is that Windows OS has hundreds of different event logs, which makes very difficult to remember the meaning of all of them. Some event logs can simply characterize that something is going wrong on a system whilst some others are clearly the signature of a compromise. The two previous observations make the study of the Windows very important and sometime decisive for an analysis. more ...


Sysmon v6.10 VS WMI Persistence

Sysmon v6.10 has been released on the 11th of September and introduces new features such as WMI events reporting. At the first sight, these new capabilites seem very interesting for SOC and Incident Response purposes. Therefore in this article, we are going to explore the new events generated by this latest version of Sysmon. We will also discuss in which extent we can use these events to detect real life WMI abuses. more ...