< Back
Episode #

Unit 42's Andrew Rathbun on the Sysmon Configuration Mistake Enterprises Are Making

Show notes: 

Andrew Rathbun, Senior Consultant at Palo Alto Network's Unit 42, has spent years tearing apart Windows endpoints across ransomware, APT, insider threat, and DPRK IT worker cases. His read on the state of enterprise Windows logging is blunt: most organizations have spent significant money on detection tooling while leaving the native forensic record so truncated that proving an intrusion timeline is nearly impossible. He introduces the "conveyor belt of volatility" as a forensic lens, every second, events fall off the back end of your log, and the default sizes Microsoft ships are a relic of 2002 disk economics. Accepting those defaults in a contemporary environment isn't a configuration oversight; it's a gift to the attacker.

The conversation goes deep on the four artifacts Andrew calls his sysadmin Christmas list of Sysmon, the Security Event Log, Volume Shadow Copies, and the $J USN Journal, and why each is typically either absent, stale, or undersized when he arrives on a case. He also covers what DPRK IT worker cases look like from the endpoint, why EDR alert queues are generating true positives that go ignored for days, and how he actually uses AI on cases, including a specific example of generating a PowerShell script to convert Linux audit log epoch timestamps to human-readable time, a script he's been running in production for years.

Topics discussed:

  • The "conveyor belt of volatility" framework for understanding Windows event log retention
  • Why accepting default log sizes actively shortens the forensic timeline available during incident response
  • Why Sysmon's inclusion in Windows 11 is long overdue, how stale installations with outdated event IDs are a common unforced error in enterprise environments
  • How volume shadow copies can extend forensic visibility across months of attacker activity
  • The $J USN Journal as a file system ledger for every file creation, deletion, rename, and size change on a Windows partition
  • Why EDR is a mandatory but insufficient control, including how alert fatigue causes true positives to be miscategorized as false positives
  • What DPRK fake IT worker cases look like from the endpoint, including the forensic value of USB artifact timestamps
  • How AI functions as a genuine force multiplier in DFIR while remaining unreliable as a source of authoritative forensic ground truth
  • Why GitHub fluency, not tool mastery, is the foundational skill for anyone entering digital forensics

Key Takeaways: 

  • Size the Windows Security event log to at least 1 GB. The default 32 MB cycles 4624/4625 events fast enough that authentication history from the week before your incident is already gone.
  • Deploy Sysmon and keep it current. Treat version currency as a security control.
  • Size the $J USN Journal appropriately on all Windows partitions. It's a file system ledger of every create, delete, rename, and resize.
  • Enable volume shadow copies and treat retention depth as a forensic asset. 
  • Alert on event IDs 1102 and System 104. These signal security log and general event log clearing.
  • Audit EDR queues for true positives closed as false positives.  
  • Baseline USB artifact timestamps and KVM device registry entries on remote worker endpoints. 
  • Use AI to parse unfamiliar log syntax and generate one-off scripts — not as forensic ground truth.
  • Don't assume EDR coverage eliminates the need for native Windows logging. They capture different visibility layers.
  • Build GitHub fluency as a foundational DFIR skill.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website