Advanced Windows Logging Finding What AV Missed
>> YOUR LINK HERE: ___ http://youtube.com/watch?v=C2cgvpN44is
00:00 - Intro • 01:00 - Explaining the HELK Architecture • 02:50 - Showing my VM's Spec's/build • 03:50 - Installing HELK • 05:40 - Poking around HELK's Logstash container to see how it works • 08:40 - Examining HELK Elastalert to view sigma rules • 09:08 - The magic behind catching APT! (sorry did it for the keywords) • 11:58 - The SafetyKeyz Sigma rule, could easily be avoided • 12:58 - Start of Windows • 13:20 - Building a Sysmon Config with Sysmon-Modular • https://github.com/olafhartong/sysmon... • 17:20 - Enabling Other Logging • 18:00 - Enabling Command Line Logging with arguments • Computer/Windows/SecuritySettings/SecurityOptions/Audit: Force Audit policy • Computer/Windows/SecuritySettings/AdvancedAudit/DetailedTracking/AuditProcessCreate • Computer/AdminTemplates/System/AuditProcessCreation • 20:00 - Enabling Powershell Module and Script Block Logging • Computer/AdminTemplates/WindowsComponents/WindowsPowershell/ • Create Profile.ps1 in c:\\windows\\system32\\WindowsPowerShell\\v1.0 • -- Variables: $LogCommandHealth and $LogCommandLifeCycleEvent = $true • 23:00 - Enabling Task Scheduler History/Logging • 23:25 - Downloading and installing WinLogBeat • (If you have issues, try version 6.7 of WinLogBeat, 7 is now out and HELK is not ingesting) • 27:05 - Logging into HELK and start of searching the logs! • 28:45 - Searching Process Create Events (4688) and finding the commands we ran earlier • 29:53 - Testing the Powershell logging to detect downloading and executing a script • 37:00 - Detecting mimikatz accessing LSASS • 39:40 - Deep dive into Mimikatz to identify how it accesses LSASS.EXE to create a signature, what is 0x1010 process grant? • 44:30 - Showing the Process Creation stuff in real time. • 47:25 - Examining the SysMon Dashboard • 48:00 - Viewing the SIGMA Rules and how to clean up noisy ones. • ** Really good blog post: https://posts.specterops.io/what-the-... ** • 50:00 - Deep dive into the SIGMA Rule setup • python -m elastalert.elastalert --debug --rule • 51:30 - Discovering the mistake in the SIGMA to Elastalert conversion (realert:0) • 52:00 - Debugging Elastalert Rules
#############################