Attack Tactics 7: The logs you are looking for
HTML-код
- Опубликовано: 30 июл 2024
- Join us in the Black Hills InfoSec Discord server here: / discord to keep the security conversation going!
Reach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services -- www.blackhillsinfosec.com/
00:00 - Preshow Anouncements
06:03 - Introduction and background, JPCert, integration of pen testers, forensics, and defense, questions for business managers
12:37 - How Attack Tactics is trying to bridge the three disciplines, proper settings for command line logging, enabling power shell logging
22:23 - Generating events and finding them with Invoke-expression, Group Policy configurations, and answering questions about system configurations
30:17 - Exchange logging, Sysmon installation, usage, and results, LSASS Dump, Deep Blue CLI, and Logon Tracer
43:26 - Q&A and Closing Thoughts
Description: So we went through an attack in the BHIS Webcast, "Attack Tactics 5! Zero to Hero Attack." Then we went through the defenses in a follow-up webcast, "Attack Tactics 6! Return of the Blue Team," and now we need to have a talk about logs.
Here is the deal, most of the default logging settings for IIS, Exchange, Active Directory and the workstations would have missed the entire attack.
So, let's fix that.
In this webcast we will be walking through some configuration changes required in order to detect attacks. We will also show you exactly what those logs will produce when configured properly.
Finally, we show you tools like LogonTracer, DeepBlueCLI and some cool basic PowerShell to pull out important information from these logs.
- John
Slides for this webcast can be found here: www.blackhillsinfosec.com/wp-...
Black Hills Infosec Socials
Twitter: / bhinfosecurity
Mastodon: infosec.exchange/@blackhillsi...
LinkedIn: / antisyphon-training
Discord: / discord
Black Hills Infosec Shirts & Hoodies
spearphish-general-store.mysh...
Black Hills Infosec Services
Active SOC: www.blackhillsinfosec.com/ser...
Penetration Testing: www.blackhillsinfosec.com/ser...
Incident Response: www.blackhillsinfosec.com/ser...
Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: www.backdoorsandbreaches.com/
Play B&B Online: play.backdoorsandbreaches.com/
Antisyphon Training
Pay What You Can: www.antisyphontraining.com/pa...
Live Training: www.antisyphontraining.com/co...
On Demand Training: www.antisyphontraining.com/on...
Educational Infosec Content
Black Hills Infosec Blogs: www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest RUclips: / wildwesthackinfest
Active Countermeasures RUclips: / activecountermeasures
Antisyphon Training RUclips: / antisyphontraining
Join us at the annual information security conference in Deadwood, SD (in-person and virtually) - Wild West Hackin' Fest: wildwesthackinfest.com/
#bhis #infosec Наука
aaah im getting hooked on this stuff. what an awesome field.
Pushing those relevant events to Elastic using winlogbeat is good and if you don't want agents on all of your machines you could send the events to an event collector and then use winlogbeat to ship them off to Elastic. I've been toying around with using kansa modules and powerforensics scripts on a scheduled task and using Filebeat to ship off the output to Elastic.
amazing content! good job! (Y)
Sysmon is also "yet another agent". From a MSSP point of view where you don't have much leverage on how the customer runs his network, it's hard to get deployed.
GPO is better in respect of that. However, many orgs don't even know how to use GPOs. Even the Sysadmins. Which is a new set of problems. ;)
It's not easy.
where can I purchase backdoor and breaches?
Hi there, is it possible to get the logs from "Attack Tactics 5"?
Could you use Sysmon event id 10 to see weird processes trying to access lsass to catch it being dumped? This is a sample Splunk query: "EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE "%lsass.exe")"
GrantedAccess depends on version
ruclips.net/video/9pwMCHlNma4/видео.html
Hi everyone,
I'm a cyber noob and I am trying all of John's labs however, I don't think I am grasping something with how deepblue cli works. The results seem to be based information from another system (presumably Eric's system used for testing). Therefore, i am asking if anyone could advise how to use it to assess my system? Thanks if anyone responds...
The DeepBlueCLI tool reads event logs and has several different options.
Basically:
Read local security log
-or-
Read evtx log file
Output analysis in powershell terminal.
Everything you need (except the log files, though there are samples) is out here: github.com/sans-blue-team/DeepBlueCLI
Best Regards,
-Jordan Drysdale | BHIS