Sysmon for Linux PowerShell Module
Shell is Only the Beginning - Sharing my thoughts and idead
by Carlos Perez
11M ago
Sysmon has been a great tool to enhance logging in Windows for many year allowing well organized teams to cover many gaps in their log and even improve their capabilities at detecting all kinds of attacks. Microsoft released a version of Sysmon for Linux to provide the same type of value to those defending Linux systems. Logs are saved in to Syslog as single line XML blobs that can be ingested and parsed by SIEM products. To aid with extracting the Sysmon specific events from syslog I wrote the SysmonLinux.Util module. The module can parse one or more Syslog files even GZip files archived by L ..read more
Visit website
Beyond the Technical - Advise for those starting in Infosec
Shell is Only the Beginning - Sharing my thoughts and idead
by Carlos Perez
2y ago
One question I get on a regular basis is “I want to start a career in infosec where do I start?” and when I ask in what area of infosec one of the most common answer if not the only one is “I want to hack”. When I hear this, I see the focus is mostly on doing cool stuff, that is their strategic goal. I believe having this goal is not a bad one since they are looking for something that will fulfill them and they find fun but, in my opinion, I find it to be also a goal that will lead to more stress and frustration since it will not match reality. You see when one works in information security co ..read more
Visit website
Operational Thoughts in Trying Times
Shell is Only the Beginning - Sharing my thoughts and idead
by Carlos Perez
2y ago
This post is as much as a reminder to myself of where I should focus on the multiple jobs I have and also share with the community are large what I consider important and key in this trying times.   Last year a dinner I had a very nice conversation with my friend Ed Skoudis on security consultancies and how many operated. This conversation covered many aspects from markets, politics, engagement best practices, retention of employees, and knowledge collection. Later at the end of the year, I had a good brainstorming session with Andrew Thompson via DMs on how recessions and the cycli ..read more
Visit website
Getting DNS Client Cached Entries with CIM/WMI
Shell is Only the Beginning - Sharing my thoughts and idead
by Carlos Perez
3y ago
What is DNS Cache The DNS cache maintains a database of recent DNS resolution in memory. This allows for faster resolution of hosts that have been queried in the recent past. To keep this cache fresh and reduce the chance of stale records the time of items in the cache is of 1 day on Windows clients.  The DNS Client service in Windows is the one that manages the cache on a system, This time Window can be modified via the registry in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters where the MaxCacheTtl property controls the time in the cache in seconds ..read more
Visit website
Being Grateful at Heilderburg
Shell is Only the Beginning - Sharing my thoughts and idead
by Carlos Perez
4y ago
Recently while in the bar of the Crown Plaza in Heidelberg for the Troopers conference I became aware of the number of how grateful I should be for what I have in this industry. For what I’m grateful for is not technical or recognition but of the group of people in the industry, I have the honor to call friends. I would like to share some of them in this blog post. While coming back from dinner at Heidelberg JD also known as @SadProcessor send me a DM that several of our friends are at the hotel bar and even so I don't drink I should come down and hang out. I was jet lag but had not seen many ..read more
Visit website
Operating Offensively Against Sysmon
Shell is Only the Beginning - Sharing my thoughts and idead
by Carlos Perez
4y ago
Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Manageme ..read more
Visit website

Follow Shell is Only the Beginning - Sharing my thoughts and idead on Feedspot

Continue with Google
OR