PowerSIEM - Analyzing Sysmon Events with PowerShell - Dynamic Malware Analysis

PowerSiem: https://github.com/IppSec/PowerSiem Creating PowerSiem: https://www.twitch.tv/videos/1438252177 Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon Sysmon Configuration File: https://github.com/Neo23x0/sysmon-config 00:00 - Intro 00:36 - Talking about PowerSIEM 01:40 - Installing Sysmon with Florian Roth's default config 03:30 - Showing what PowerSIEM does by running it and opening a command prompt, browser, etc 04:50 - Explaining the PowerSIEM Script, how it works, and all the current sysmon events 07:50 - Setting breakpoints in Powershell ISE 08:48 - Adding data to the Registry Set event 11:58 - Showing just running a SysInternals tool creates a registry key for accepting the EULA 13:45 - Running Impackets PSEXEC, to find out Defender stopps it. Running Sysinternals Version and showing defender allows it. 14:50 - Using PowerSIEM to show how the Sysinternals PSEXEC works. 15:50 - Disabling AV, Running impacket's version again to show how it differs 17:35 - Creating a Cobalt Strike Beacon and showing some alerts 18:25 - Hiding network connection alerts in PowerSIEM by just commenting out the Write Alert line 20:00 - Running a shell command in CobaltStrike and showing what it looks like in PowerSIEM 21:00 - Running Mimikatz and talking about its sacrificial process, pipes, and mimikatz accessing LSASS 24:05 - Showing not everything will be logged