Back to BlogUnveiling the Power of Sysmon: A Deep Dive into Threat Hunting
We’re excited to share an in-depth discussion on Sysmon and threat hunting between Blumira’s Lead Incident Detection Engineer Amanda Berlin and security influencer Tom Lawrence.
Amanda presented to Tom’s audience on how Sysmon transforms an organization’s ability to detect threats by capturing detailed Windows event logs. She walked through real-world attack examples, explaining how certain malicious behaviors can slip past traditional SIEMs but get flagged by Sysmon’s advanced logging.
Tom and Amanda also dove into threat hunting tradecraft like leveraging anomaly detection and adversary emulation frameworks. Amanda shared how Blumira uses these techniques to continuously improve detections mapped to the MITRE ATT&CK framework.
With Amanda’s insight into Blumira’s security research process and Tom’s perspective as an end user, this conversation offers valuable lessons for any IT team looking to enhance their security stack.
A few key takeaways:
- The importance of visibility: Sysmon logs provide crucial visibility into Windows hosts, equipping overstretched IT teams to catch attacks they’d otherwise miss.
- Living off the land techniques: Modern attacks use built-in OS tools to fly under the radar. Sysmon exposes this covert activity.
- Testing detections: Adversary emulation frameworks like Atomic Red Team allow you to test detections against real-world MITRE techniques.
- Anomaly detection: Baselining normal behavior helps surface suspicious outliers that may be malicious.
We highly recommend checking out the full video above! Amanda and Tom covered a ton of ground, from specific techniques to high-level strategies for improving threat detection. It’s a great watch for insights on Advanced Logging, MITRE ATT&CK Framework, and key strategies for IT Directors.