Sysinternals Sysmon Fundamentals

Date: May 27 - 28, 2020
Location: Online

Trainer: Carlos Perez

Skill Level: Basic

 

Course Description:

This course covers the fundamentals of Microsoft Sysinternals Sysmon, from basic use of the command line to deployment considerations and understanding how each event type works.

This course is designed for the defender who is just getting started with using the Sysinternals Sysmon tool for collecting information to aid in the hunt and detection of abuse of Windows environments.

This course qualifies for 14 hours of CPE credit hours.

 

Overview/Course Syllabus:

This two-day intensive training course will be held using videoconferencing software in an interactive group setting with hands-on instruction, as-needed.

Day 1

  • What is Sysmon – We will cover what Sysinternals Sysmon is and how it works.
  • The Sysmon Driver – This overview of the core of Sysmon will discuss how this component captures the information that is then stored in the Windows event log.
  • Installation and Configuration – We will understand the basic installation of Sysmon and the command line parameters used. Additionally, we will take a look at some best practice recommendations and cover how to author XML configuration files.

Day 2

  • Event Types – We will look at the different event types generated by Sysmon and best practices for working with each one. The following event types will be covered:
  • Sysmon Events
  • Process Events
  • Process Creation
  • Process Termination
  • Process Access
  • File Events
  • File Create
  • File Create Time Change
  • File Stream Creation Hash
  • Named Pipes
  • Driver Loading
  • Registry Actions
  • Image Loading
  • Network Connections
  • Create Remote Thread
  • Raw Access Read
  • DNS Query
  • WMI Events

 

Student Requirements:

This class requires basic knowledge of the Windows operating system in an Active Directory environment and how to read Windows event logs.

 

Who Should Take This Course:

This class is designed for the defender who is just getting started with using the Sysinternals Sysmon tool for collecting additional information to aid in the hunt and detection of abuse of Windows environments.

 

Hardware Requirements:

  • Internet connection
  • Web browser to access student lab
  • Web camera
  • Headphones and microphone

 

Pricing:
Register before May 1st – $1,250
Register on or after May 1st – $1,500

*Contact us for military discount and group pricing (3 or more students)

Register