Everything Is Just Dandy!

Using Sysmon to Block Unwanted Files and Send Notifications to Slack via Scheduled Task Event Filter

IppSec
IppSec
2022-09-26
https://www.youtube.com/watch?v=J9owPmgmfvo
00:00 – Intro
01:10 – Installing Sysmon and the configuration from Neo23x0’s Repo
02:00 – Explaining the file blocked section
04:00 – Viewing the Sysmon log to confirm it is installed and see its EvendID 27
05:10 – Creating a Scheduled Task with Event Filter to trigger on Sysmon File Blocked Events
07:30 – Event did fire turns out it is case sensitive
08:50 – Editing the Scheduled Task event by hand to add ValueQueries which allows arguments to be sent from this Event Filter
11:30 – Testing the passing of variables by adding them to the message box
12:50 – Start of creating some powershell to send this message to Slack
16:30 – Have trouble getting arguments into the powershell script because of Base64 Endcoding, change up our script
23:10 – Showing a working copy of the powershell script that sends slack messages
25:45 – Deploying our scheduled task through Group Policy
28:50 – Editing the scheduled task XML file from sysvol