00:00 - Introduction
01:00 - Going over the Unit42 Research that was posted to GitHub
02:30 - Downloading Chainsaw which is what we will use to parse the eventlog
03:20 - Running the hunt operation with chainsaw and default sigma rules to see some suspicious events quickly
05:45 - Using the search functionality to show us events with the process guid to show us what the suspicious file did
12:55 - Question 1: How many event ID 11's are there, counting each Event ID
16:00 - Adding each Sysmon event name into our csv file
19:45 - Question 2: Identifying the malicious process, showing all process creation events and looking at what it does
21:00 - Question 3: Finding out how the malware was downloaded by looking at DNS Events and what process made them
24:23 - Question 4: Searching for file time stomping events to see the create time was set to an older time
25:45 - Question 5: Finding events related to once.cmd and seeing what created it
28:30 - Question 6: Looking at the DNS Queries for the malware to see the domain it uses to check if it has an internet connection
29:15 - Question 7: Searching network connections from the malware to see where it reached out to
29:45 - Question 8: Seeing where the process terminated itself
31:10 - Doing some bashful to see all the Sysmon rulenames a process triggered to get a high level understanding
Support the originator by clicking the read the rest link below.