Garuda Threat Hunting Framework

Presented at DEF CON 33 (2025), Aug. 9, 2025, 4 p.m. (45 minutes).

The rapid growth of cyber threats has made endpoint logging a critical component of modern security operations. Defenders increasingly rely on endpoint telemetry like Sysmon logs to detect and investigate breaches. These logs capture crucial forensic evidence, but the sheer volume and complexity of Sysmon logs often overwhelm analysts and hinder timely and effective analysis. Garuda is an open-source PowerShell framework designed to address this challenge by providing a unified, flexible, and efficient approach to endpoint detection and response using Sysmon events. With advanced filtering capabilities, cross-event correlation, multiple contextual views, precise time-based noise reduction, and support for both remote and offline (EVTX) analysis, Garuda enables security teams to quickly uncover attack chains, investigate incidents, develop detection logic, and perform in-depth malware analysis all within a single, scriptable environment. Its extensible nature allows one to use it for various scenarios, including threat hunting, investigation, anomaly detection, detection engineering, and malware analysis. Garuda can accelerate investigations, improve detection, and provide deep visibility into endpoint activity.

Presenters:

• Monnappa "Monnappa22" K A - Co-Founder at Cysinfo
  Monnappa K A is a Security professional with over 17 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on threat hunting, investigation, and research of advanced cyber attacks. He is the author of the best-selling book "Learning Malware Analysis." He is a review board member for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Limon Linux sandbox and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community "Cysinfo" (https://www.cysinfo.com). He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, FIRST, SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com.
• Sajan Shetty
  Sajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo, an open Cyber Security Community (https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cybersecurity professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.

Similar Presentations:

• BSidesLV 2023 / Open Source GitOps for Detection Engineering
• Hackfest 2016 / Hunting with LimaCharlie
• Texas Cyber Summit 2019 / TH-3005 Host & Threat Hunting on a Budget