Sysmon v6.10 VS WMI Persistence

Sysmon v6.10 has been released on the 11th of September and introduces new features such as WMI events reporting. At the first sight, these new capabilites seem very interesting for SOC and Incident Response purposes. Therefore in this article, we are going to explore the new events generated by this latest version of Sysmon. We will also discuss in which extent we can use these events to detect real life WMI abuses. more ...

Sysmon Events Table

Sysmon is a great system monitoring tool provided by Windows which can be used for threat hunting and incident response. This tool is running as a Windows Service and is operating in Kernel Land via a driver. This blog article will be used to maintain a table describing the different Sysmon events available accross the different Sysmon versions. more ...

Carving EVTX

Windows OSĀ uses a specific file format in order to store the logs generated by the different programs running on the system. One can usually find those logs at path C:\Windows\System32\winevt\Logs. According to the settings of your OS you can find a bunch of useful information that you may want to recover under some circumstances. more ...