Sysmon is a well known tool provided by Microsoft frequently used in the fields of threat hunting, incident response and security monitoring. One of its best features is that it allows one to log any network connection issued by the processes running on the system. We will quickly review what information is provided in those events and what is the issue we have noticed. In order to overcome the issue we will present our work around which comes in a form of a new feature called event hooks introduced in the latest version of WHIDS. more ...

This article introduces an engine (a.k.a Gene) we have designed to match signatures in Windows events. Our motivations were driven by some observations done during several incident we have worked on. The first observation is that Windows OS has hundreds of different event logs, which makes very difficult to remember the meaning of all of them. Some event logs can simply characterize that something is going wrong on a system whilst some others are clearly the signature of a compromise. The two previous observations make the study of the Windows very important and sometime decisive for an analysis. more ...

This year I had a little time to solve few challenges of the Hack.lu CTF. I am going to explain in this article how I solved the bit challenge. more ...

Sysmon v6.10 has been released on the 11th of September and introduces new features such as WMI events reporting. At the first sight, these new capabilites seem very interesting for SOC and Incident Response purposes. Therefore in this article, we are going to explore the new events generated by this latest version of Sysmon. We will also discuss in which extent we can use these events to detect real life WMI abuses. more ...

Statistics showing the count of the events generated over a monitoring period of 5h with all the Sysmon events being logged. The event IDs not displayed have simply not been seen during the sampling. more ...

When we try to play with several machines, Sysmon and WECs (Windows Event Collectors) we quickly see the amount of logs growing. Knowing quite good the EVTX file format we realized that no compression is builtin. In order to optimize the storage of the events collected, we decided to run basic compression tests that we are going to describe here. more ...

In this article we are going to explain the carving strategy to adopt in order to recover Windows Event Logs as well as our tool built up for this purpose.

more ...