TWC: Sysinternals Primer: TechEd 2014 Edition

Sign in to queue

Description

The latest edition of the popular Sysinternals Primer series with Aaron Margosis, Mark Russinovich’s co-author of The Windows Sysinternals Administrator’s Reference. The Sysinternals utilities are vital tools for any computer professional on the Windows platform. Mark Russinovich's popular "Case Of The Unexplained" demonstrates some of their capabilities in advanced troubleshooting scenarios. This complementary tutorial series focuses primarily on the utilities themselves, deep-diving into as many features as time allows. Expect to see some advanced analysis, such as manipulating Procmon results with Windows PowerShell, and interesting/useful new features.

Embed

Download

Download this episode

The Discussion

  • User profile image
    androidi

    It'd be interesting improvement if the Process Explorer could automatically use a low level driver to create hashes from the executable sections of processes and submit those to virustotal and if unknown then submit the executable sections, because why would the attacker drop anything on the disk if there's a hole on the server they can get back in with later? This needs to be done in a way that there is no way for the attacker to detect that this executable section hashing is being performed. This could be done by having the section hashing/capture run in the vPro/smbios and have a direct connection from there to a network or storage device that is not visible to Windows, so that this auditing can be completely isolated. Process Explorer can then run on another computer or vm and connect to the low level capturing to get a view of the processes and hashes that can't be manipulated, and the attacker won't be able to know they are running on the system.

Add Your 2 Cents