Busting Red Team Trends with Style - Building a Custom ETW-Based Sysmon Replacement

Explore a 33-minute conference talk from x33fcon that delves into the development of a custom ETW-based Sysmon replacement designed to fingerprint threat actors and red team techniques. Learn about the enhanced capabilities for monitoring (in)direct syscalls, sleepmasks, module proxying, and callstack spoofing. Discover how this custom solution maintains Sysmon compatibility while providing enriched event information and additional telemetry for more effective threat hunting. Understand the architecture used for collecting and correlating events from various ETW Providers at scale, including insights into RPC, callstack, and syscall monitoring. Gain valuable knowledge about identifying new IOCs generated by popular offensive tooling techniques and learn from the development challenges and solutions encountered during the project's implementation.