https://stream.echo6.co/videos/watch/105adbf5-c4ea-4e1c-82fc-1d3900b6ccfd 00:00 - Introduction 01:00 - Going over the Unit42 Research that was posted to GitHub 02:30 - Downloading Chainsaw which is what we will use to parse the eventlog 03:20 - Running the hunt operation with chainsaw and default sigma rules to see some suspicious events quickly 05:45 - Using the search functionality to show us events with the process guid to show us what the suspicious file did 12:55 - Question 1: How many event ID 11's are there, counting each Event ID 16:00 - Adding each Sysmon event name into our csv file 19:45 - Question 2: Identifying the malicious process, showing all process creation events and looking at what it does 21:00 - Question 3: Finding out how the malware was downloaded by looking at DNS Events and what process made them 24:23 - Question 4: Searching for file time stomping events to see the create time was set to an older time 25:45 - Question 5: Finding events related to once.cmd and seeing what created it 28:30 - Question 6: Looking at the DNS Queries for the malware to see the domain it uses to check if it has an internet connection 29:15 - Question 7: Searching network connections from the malware to see where it reached out to 29:45 - Question 8: Seeing where the process terminated itself 31:10 - Doing some bashful to see all the Sysmon rulenames a process triggered to get a high level understanding Wed, 15 Apr 2026 11:20:37 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/105adbf5-c4ea-4e1c-82fc-1d3900b6ccfd All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.