6 of 52

#1 Most Important Prereq

Become acquainted/friends with your system & windows admins as well as….HELPDESK and even HR! Because they are:

The ones who can push Windows EID policies/GPOs
The first line of defense
The ones who will help you swiftly deconflict suspicious activity
The ones who will help you respond, mitigate, and eliminate threats
The ones who know the AD groups and which devices contain specific things you want to log / not log�Some EIDs you only want enabled on specific devices and or with specific software. Although you could use WMI queries in the GPOs.
Deconflict unknown account creation
Get access to your company's help desk ticketing system system. Can help with deconfliction and or tip compromise Example: I had random service installed and deconflicted with helpdesk ticket that a sysadmin was troubleshooting a hard drive
Insight into a user's department -- is it NOT normal for accounting to run .NET libraries?!

7 of 52

Answering Customer’s: “But what’s in it for me”

Windows EIDs can be used to benefit the other IT departments.

User lockouts & other authentication failures that make users angry -- EIDs: 4740, 4768, 4732, 4733, 4756,4757
Host baseline auditing -- EIDs: 4946-4948, 4957, 6145, and System EIDs for Windows Updates
I can’t access the network share -- maybe EID 5144 “A network share object was deleted”
This user keeps turning off their computer!? -- System EID 1074 or 6009
Computer is going to die a slow death -- System EID 7 or Application EIDs 1000-1002
You can limit CPU resources and even EPS sent

Come up with some more ideas!

8 of 52

Windows Event Forwarding

Windows provides a framework to centralize log collection (it’s free!)

Often referred to as WEF (Windows Event Forwarding) or WEC (Windows Event Collector)
Relies on Windows Remote Management (WINRM.EXE)
Windows Event Viewer (GUI) or wecutil + xml configuration

WEF Server

SIEM/Search

Group Policy

Windows Remote Management

Wecutil OR

Windows Event Viewer

Winlog eats�OR NXLog

9 of 52

Disclaimer

What we did may not fit your environment
Baseline your environment, test it, filter, test it again, repeat

10 of 52

Environments Collected From...

We monitor events from five environments

Mostly power users (ie: management network)
Mostly end users (ie: lots of helpdesk calls)
50/50 power and end users
Manually ran new techniques of interest
Cuckoo malware lab

We have installed windows event forwarding at 3 live sites and one laboratory. This means that we have configured windows event forwarding at these sites on all hosts (user pc’s and servers) to forward to a central location where we can analyze the logs. We’ve done this with at least 2 different SIEMS. The SIEM you are using will most likely be able to handle Windows Event Logs.

Nate and I have the opportunity to analyze events from 5 separate varying environments Some have developers, some are mostly clueless end users, we have one that is primary engineers and security personnel. Then we have a malware lab that allows us to run samples that we pull from various resources. The type of activity that occurs in each environment is always different, changing, and that allows us to continue to learn new things. Another great idea that everyone should have is an environment where they can run techniques that get published by researchers with all auditing enabled. So that you can see what types of logs are created or are not created.

One of the challenges we face is resources.

11 of 52

How many logs (EPS) are we talking about?

Highly depends on your environment and what kind of logging you have enabled on each machine.

DISA STIG (and some additional audit policy)

1.5 -> 3 EPS per host

Caution:

Enabling Powershell & Object Access on certain machines can send your EPS through the roof. However, Object Access & Powershell are very useful whitelist/aggregate!
Enabling Global Object Access Auditing (file system and registry) will fill your security event log in <�12 hours; if you don’t forward the logs, you will be sad.

Increase the size (500 Megabytes+), archive the logs

So in these three environments, we found that enabling the advanced audit policy required by DISA and some extra stuff (powershell) (which is in the resources section of this presentation) led to us receiving on average between 1.5 and 3 events per second per host. This could be completely different in your environment. Some software is very noisy (spawning alot of processes, relying on windows executables like nslookup to complete actions, etc) so you will probably see hosts that send a lot of noise, and others that are fairly quiet.

Being from the defense department, we took a look at the STIG and added to it (Task Schedule for instance). With the policy we use, we get 1.5 to 3 events per second per host. Before you go into the gpo and start enabling all log types, test. Test. test. Enabling too much will cause your event logs fill up very quickly. Specifically, object access can be dangerous. I enabled enable object access on my local machine and had 200 gigs of logs at the end of a work day. If you don’t want to blow up your sim you can look into configure the SACL of what you wish to monitor. So you may have no event logs for more than a few hours local on the box. In addition, increase the default event log size and archive. Make it as big as you feel comfortable. Face it, you may have to go back a few days or even longer during analysis and if you are missing those logs you might be sad. If you do run into those situations, don’t forget to check the drives shadow copies you may get lucky.

12 of 52

Events Per 2 Hours Per Channel (no filtering 600+ hosts)

1 dot = 2 hours

10AM

10PM

13 of 52

Description of our Cuckoo Malware Lab

How can we identify new and interesting things to review in windows logs

Execute malware in a sandbox with Windows Event Forwarding.
Compare the sandbox events against your environment, rinse, repeat.

-malshare

-virusshare

-malwr

-virustotal

-samples from friends

Cuckoo

ELK

Python scripts submit 500 unique samples/day

https://github.com/cuckoosandbox/cuckoo

Host Configured with WEF�+ Special Sauce To Tag Cuckoo Submission ID to each Windows Event

https://github.com/elastic/elasticsearch�Elastic -- dynamic field generation & free.�2,000 keys/fields and counting

@skier_t

Cuckoo Slide:

To help us identify & gauge Windows events worth monitoring, we made use of an existing laboratory that I built in the Fall. The idea is pretty simple, and that is to run as much malware as possible and to correlate event logs with each sample.

To automatically execute malware we made use of somewhat-customized Cuckoo installation, which is an open source malware sandbox. Cuckoo itself is really just the backend, you have to do a lot of customization of the host, for instance enabling some of the advanced audit policy settings in Windows.

The most important customization that we made to cuckoo itself was making it possible to tag the Cuckoo Submission ID on each windows event. This way, when we see an interesting windows event, we can go back and view the sample. Some samples are (almost) easily classified by the event's they create (such as disabling volume shadow for Ransomware).

Anyway, if you enable ~almost~ everything that Windows Audit Policy has to offer and you are running ~500 samples per day, you will run into the issue of having an enormous amount of noise-to-signal. And to help us solve that issue, we took advantage of Nate's elastic search instance. Elasticsearch allows us to quickly parse through thousands of events very quickly.

On the Cuckoo host that is executing malware, there is an agent forwarding all windows logs to elastic.

14 of 52

Alerting vs. Exploring

Some Windows Events can become automated alerts, however overall we’ve had more success “exploring” than alerting.

Aggregations & Comparison (least common, today vs. same day last week)
Good queries for exploring the data involve questions like:

What commands were run by system admins, domain admins today.
What non-power users are running System32 commands (ie: cmd, nslookup, xcopy, etc…) or powershell.. and what did they run?
Did anyone open file with the words “account”, “pass”, “paswd”, “creds”.. Etc
Did SYSTEM run whoami?

You will learn a lot about Windows very quickly, you will understand normal (“your baseline”) quickly and be able to identify new anomalous things.
We use windows, the adversary must also use Windows….
These are not %100 confidence ie: not an IOC or file signature.

In a world of signature-based detection, we rely almost entirely on rules that someone else has built. For the most part, these rules are easily circumvented. The problem being that the signature creators are looking for a high true positive rate. With each rule there is non-zero chance that you might accidentally break someone's software.

Although signatures can be very helpful at stopping an attack, we should have secondary data sources to explore and discover our own environment.

Certain Windows Events can be very eye opening about what is happening in your environment. For instance, event id 4688 will show you what processes are executing and what their command line arguments look like. Once you centralize your logs, running queries like "aggregate all processes executed by users with the DA naming convention" becomes easy. Often malware will copy itself into the user's AppData directory, so running a query such as "Show me all the processes executed from user's Desktop, Downloads, or AppData directories" would be useful.

After a week or so of looking through these aggregation commands, you start to become pretty familiar with what normal looks like in your environment. With the data at your fingertips, identifying the cause of anomalies becomes easier as well.

15 of 52

WTHeck do I do with what I found!?

An easy mistake to make while you are exploring the data is to discover an anomaly and escalate before doing some historical searches / sanity checks.

Pull for the last several days/weeks to see if the anomaly might have occurred in the past

Host = “myhost” username = “SYSTEM” Process contains “nslookup”

Track activity around the time of the event (user account & host)

Maybe you will see sethc.exe executed before whoami
Maybe you will see a new service creation
This information will prove valuable when you ask the system owner / admin about the anomaly.

Gather as much context as you can before reaching out to Admins/Users/Devs.

In an environment where the analysts are used to responding to signature based Nate implemented Windows Event Monitoring. I was around to assist with response.

One of the things that we both took away immediately, was that analysts responded to anomalies in Windows Event Logs as if they were a 10/10 signal from Anti-Virus. Escalating the issue without doing proper analysis of the event, event though they had access to client data that would have helped them put the event into context.

So, my advice for anyone who is getting started with Windows events are to answer the following questions before you escalate:

1) Is a user attributed to the event?

2) What else happened around the time of the anomaly, Especially just before the event. (Newly created processes?)

3) In the timeframe of 1-2 weeks, has a similar event occurred? Is this the first time the event occurred?

4) Finally with this information in hand, reach out to the system administrator/users for the event and ask them if they were performing any sort of maintenance during the timeframe (installing new software, adding new users, etc).

Asking these questions will frame the event.

16 of 52

Keep in Mind: Logs Can Be Fragile

Subscriptions can be disabled, auditing can be disabled

Permissions changes
Removed subscriptions
Remove accounts
Monitor event IDs related to subscriptions / auditing:

1100, Object Access Events 4661

Microsoft-Windows-Forwarding/Operational error codes especially 102

Auditing can break

521(commonly created with disk is full)

Source logs can be altered

Deleted, replaced, corrupted
Unusual access to files in C:/windows/system32/winevt

The time can change

You may want to use event receipt time vs the time generate by the system

Using Time Change EventIDs Security 4616 OR System 1

17 of 52

Anti-Forensics EID 1100 (also 1102 or System 104)

18 of 52

Stuff We Found

Event ID 4688 (Process Creation - Easy):

C:\Windows\System32\vssadmin.exe delete shadows /all /Quiet (WannaCrypt/Wcrypt Ransomware)
C:\Windows\System32\cmd.exe" /c powershell -noprofile -executionpolicy bypass C:\Users\johnson\AppData\Local\Temp\t.ps1
C:\Windows\System32\cmd.exe /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
/a /c netsh advfirewall firewall add rule name="ZFVRU1hVYl1ZaAxx" dir=in action=allow program="C:\Users\johnson\AppData\Roaming\ZFVRU1~1\abgrcnq.exe"
attrib +S +H +R "C:\Users\johnson\AppData\Roaming\store.cmd"
C:\Windows\System32\schtasks.exe /Create /TN "Super Updater Schedule" /TR "\"C:\Program Files (x86)\Super Updater\SUTray.exe\" /SC ONLOGON /RL HIGHEST /F
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Users\johnson\AppData\Local\Temp\Zyklon.exe" okffzJPwIs ypNlzOJzaO

(Split up queries for system accounts by querying for activity associated with accounts ending with $)

https://github.com/arntsonl/calc_security_poc

19 of 52

Continued… enhance with “(reg OR regsvr OR msbuild OR netsh OR sdbinst.exe)” and much more!

20 of 52

C:\Windows\system32\CScript.exe C:\Users\johnson\AppData\Local\Temp\hi.vbs //e:vbscript //NOLOGO
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\johnson\Desktop\_HIWUC_README_.hta"
"C:\Windows\System32\wscript.exe" "C:\Users\johnson\AppData\Local\Temp\MultiDocumentPart.docx .vbs"
"C:\Windows\System32\wscript.exe" C:\Users\johnson\AppData\Local\Temp\11330.js
"C:\Windows\System32\wscript.exe" C:\Users\johnson\AppData\Local\Temp\2868681286282686t_____.vbs
"C:\Windows\System32\wscript.exe" C:\Users\johnson\AppData\Local\Temp\BronCoder.vbs
C:\Users\johnson\AppData\Local\Temp\Item-Delivery-Details-0000886209.doc.wsf
C:\Users\johnson\AppData\Local\Temp\Output-36926-632154-845851-652154-.js
"C:\Windows\System32\wscript.exe" C:\Users\johnson\AppData\Local\Temp\SCAN_1742.jse.js
C:\Users\johnson\AppData\Local\Temp\Undelivered-Package-000760617.doc.wsf
"C:\Windows\System32\wscript.exe" C:\Users\johnson\AppData\Local\Temp\__LCJC6Z9__.js
"C:\Windows\System32\wscript.exe" C:\Users\johnson\AppData\Local\Temp\countly.min_1_.js
"C:\Windows\System32\wscript.exe" C:\Users\johnson\AppData\Local\Temp\crrrrrryyyppptted.vbs
"C:\Windows\system32\mshta.exe" javascript:MRHYRb42y="G7";cZ83=new%20ActiveXObject("WScript.Shell");H8raUI="u5At";OrH6d=cZ83.RegRead("HKCU\\software\\qz9ZFQ2Os\\oYSaeziI");Hn6aTBg="3XUL";eval(OrH6d);FrjG8MyV="TrO1QQu";
"C:\Windows\system32\mshta.exe" javascript:UFK9u="VHaMD4";rb31=new%20ActiveXObject("WScript.Shell");x62YaXiVX="x";f6K6Yh=rb31.RegRead("HKCU\\software\\ZFNQjmrk\\gzSTht");WYrgjG7d="Has5";eval(f6K6Yh);l1ZBDZ1="W5cx";

21 of 52

Continued… (Deep Panda Dropper)

22 of 52

Adding Local Admin (4722, account creation)

23 of 52

Task Scheduling (4698 OR 106)

4698 Includes Actions / Exec

Aggregation on Unique Name

24 of 52

Bad Logins (4776)

Repeat Offenders / Probable Configuration Issue

Potentially Bad

25 of 52

WMI-Activity/Operational (Logs Errors Only)

Malware Checks BIOS for VM

26 of 52

Event Tracing for Windows (ETW)

These logs are very rich
Some can be enabled right in Windows Event Viewer
WMI, WinINet, Etc

Show every WMI query (Select * from Win32_BIOS)

WEF cannot directly subscribe to these logs :(

https://github.com/acalarch/ETL-to-EVTX
Matt Swann/Zach Brown and his group from Microsoft released ETW wrapper: https://github.com/Microsoft/krabsetw/tree/master/O365.Security.Native.ETW
https://github.com/matthastings/PSalander/

Check out cyberpointllc[.]com’s blogs for Red Team / Offensive uses

Windows Built-in Keylogger?

Could even use Internet Explorer tracing for stealing Internet Explorer HTTPS cookies & information

Or use it as an SSL decryption alternative

27 of 52

Enabling ETW Log in Event Viewer

~Not real time~

~Verbosity is changed in registry~

28 of 52

WMI-Activity/Trace (Logs *all WMI)

Basic WMI Queries for Anti-Analysis

29 of 52

WMI-Activity/Trace (Continued)

Process Creation

EventConsumer Persistence (Powersploit)

30 of 52

WMI-Activity/Trace (Continued)

Remote WMI

31 of 52

Using WEF to subscribe to custom logs

Why not push script through GPO and log result to custom windows log? In a WEF enabled environment, the results will be securely sent back without you having to write supporting code..

You could run “get-process, netstat -ano, get-wmiobject” every 30 seconds to help support your incident response / forensics process
You can deploy a script to search for hashes/registry keys/process names/etc and report back via WEF.
Add this to any powershell script with:

New-EventLog, Write-EventLog

WMI Events & Filters & NTEventLogEventConsumer

FireEye script https://github.com/realparisi/WMI_Monitor

Examples on https://github.com/neu5ron/WinLogsZero2Hero

33 of 52

Creating Scriptblock text (1 of 1):

#xgabjohcroansnh

sleep(15);try{

#iyiyzjv

function gdelegate{

#dsydimqnn

Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);

#nxwrqscy

$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("XXX","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);

#sedibjc

……………snip………………….

[Byte[]] $sc32 = 0x55,0x8B,0xEC,0x81,0xC4,<#ycf#>0x00,0xFA,0xFF,0xFF,0x53,0x56,0x57,0x53,0x56,0x57,0xFC,0x31,0xD2,<#koy#>0x64,0x8B,0x52,0x30,0x8B,0x52,0x0C,0x8B,0x52,0x14,0x8B,<#sml#>0x72,0x28,0x6A,<#zb#>0x18,0x59,0x31,<#eev#>0xFF,0x31,<#bv#>0xC0,0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF,0x0D,0x01,0xC7,0xE2,0xF0,0x81,0xFF,0x5B,0xBC,0x4A,0x6A,0x8B,0x5A,0x10,0x8B,0x12,0x75,0xDB,0x89,0x5D,0xFC,0x5F,0x5E,0x5B,0x8B,0x45,0xFC,0x89,0x45,0xD4,0x8B,0x45,0xD4,0x66,0x81,0x38,0x4D,<#vd#>0x5A,0x0F,0x85,0x0F,0x02,0x00,0x00,0x8B,0x45,0xFC,0x33,0xD2,0x52,0x50,0x8B,0x45,0xD4,0..

Kovter? Malware

34 of 52

AD: Right to Control All Users

Query = “EventID:4704 AND SeEnableDelegationPrivilege”

https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/

35 of 52

AD: Enabling More Efficient Hash Cracking (ie: Kerberoast + more)

Query = “EventID:4738 AND (Preauth OR Encrypted OR DES)"

�https://adsecurity.org/?p=2053

https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

36 of 52

Using Other’s Creds -- detect any runas or using different credentials for shared drive or even logging into a hosts (guest) VM

Query = “EventID:4648” + some elbow grease (950,000 events down to 5,000 in a few seconds)�OR just look for target localhost to narrow down to very few events for a quick win..

37 of 52

AD: Backdoor Using ServicePrincipalName

Query = “EventID:5136 AND ObjectClass:user AND AttributeLDAPDisplayName:servicePrincipalName”

https://adsecurity.org/?p=3466

38 of 52

AD:Backdoor via Delegation (msDS-AllowedToDelegateTo)

Query = “EventID:4738 AND NOT AllowedToDelegateTo.raw:"-"”

39 of 52

Wireless Attacks & Misuse (WEP/Unauth, Evil Twin, Screen Bypass/Unlock)

Query = ‘Channel:”Microsoft-Windows-WLAN-AutoConfig\Operational” AND EventID:8001’

40 of 52

Few More Hunting Possibilities

Download via signed PE -- malware -- Channel:Security AND EventID:4688 AND “bitsadmin.exe /transfer”
Bypass PowerShell v5+ module logging -- evasion -- Channel:Windows PowerShell AND EngineVersion=2*
Creating backup image -- potentially beginning data extraction/exfill -- Channel:Application AND EventID:4097
Services Installed -- persistence -- (Channel:Security AND EventID:4697) OR (Channel:System AND EventID:7045)
Scheduled Task Creation (Shamoon “APT” recently used this) -- persistence -- Channel:Security AND EventID:4698
Weak and non recommended encryption -- increased risk of hash cracking -- Channel:Security EventID:4768 AND EncryptionType:(DES-CBC-CRC OR DES-CBC-MD5 OR RC4-HMAC OR RC4-HMAC-EXP)
User ScriptPath Modification -- persistence -- Channel:Security AND EventID:4738 AND ScriptPath:*
Certificate Issued -- unauthorized devices; 802.1x; etc -- Channel:Security AND EventID:4887
Changing Local Time -- evasion -- Channel:Security AND EventID:4616 AND NOT ( ProcessName:"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" OR "C:\\Windows\\System32\\VBoxService.exe " OR ( ProcessName:"C:\\Windows\\System32\\svchost.exe" AND SubjectUserSid:"S-1-5-19" ) )
Editing boot values -- ransomware -- Channel:Security AND EventID:4688 AND bcdedit.exe AND (delete OR deletevalue OR set OR import)
Someone cleared firewall policies? -- compliance & security risk -- Security EID 4949

41 of 52

SIGMA Framework! by @blubbfiction & @cyb3rops

https://github.com/Neo23x0/sigma

Yara like framework for logs

Windows Events
Linux
Application errors
A lot more

Hundreds of community submitted alerts
Can automate turning all these into alerts in to�Elastic alerts(watcher)

https://github.com/Neo23x0/sigma/commit/135e38933481ac5ecc3b956c83ceb074f28cfd76

Here is one of their presentations on the framework

https://www.youtube.com/watch?v=OheVuE9Ifhs

42 of 52

Monitor Your Monitoring

Monitor all GPOs related to any audit policies, powershell logging, process & command line auditing, special group registry and anything else critical to your (WEF) monitoring.

Anytime it is modified, deleted, un-linked, or moved to different OU, or who/what it applies to.

Create PS script to log and send number of checked in devices into AD in last 24 hours and continuously compare to unique hostnames/devices in Elasticsearch
Create alerts for Elasticsearch if X number of events have not been seen in X time
Create a subscription specifically for “Microsoft-Windows-Eventlog-ForwardingPlugin” AKA “Microsoft-Windows-Forwarding/Operational” -- seems to not make sense to forward plugin errors but many times this subscription could work and you can see client errors for other subscriptions

EIDs for errors/issues: 101 and 105
EIDs for potential unauthorized subscription changes: 106
EIDS 102 permissions are incorrect to read “Network Service’ is not member of the ‘Event Log Reader’ group on the local PC. Update the membership and reboot the system.”

EventID:4719 AND removed -- disabling auditing
WEF servers “Microsoft-Windows-EventCollector” channel

43 of 52

One-offs, Gotchas, and Recommendations

Run your SIEM/Elastic-Stack on different AD auth and Virtual Infrastructure than the AD environment you are monitoring
For custom/non-builtin windows logs you need to create subscription via XML

The WEF server would not have the channel in the gui to click

Device/Network Inventory! -- use windows event logs to help
WEF Subscriptions should NOT use rendered text, instead use "events" format (binary)
Make sure your security log sizes are increased if possible and all logs are set to overwrite on your hosts -- 200384KBs / 200 MBs
Create unique subscriptions for very specific channels/events -- ie: one unique for Security Channel with send immediately
Things like system or non critical logs can be set to low bandwidth usage/sending.
For custom software that may not be on every computer create a subscription specific to that.. Otherwise if device is in a subscription to a channel it does not have and other channels are in that subscription ---- then those other channels may be missed
Windows 10 launches process/command line auditing before System.exe/PID:4 and also logs parent process
You can even encrypt win logs with PGP
You can even limit the resource usage of WEF or You can even limit the EPS from the host (mentioned earlier)
Running machine learning on an already setup network could result in baselining malware already installed :)
Remember your jump boxes are a one stop to steal many users credentials at one time

putty/secure-crt sessions
open password safes

Deploy GPO to push “NT AUTHORITY\NETWORK SERVICE” to the local/builtin group "BUILTIN\Event Log Readers"

44 of 52

Recommended GPOs

Computer Configuration Settings under “Computer Configuration\Policies\Administrative Templates\System\Group Policy”:

‘Set Group Policy refresh interval for computers’ = Enable and set to 90 minutes w/ random interval of 30 minutes
‘Group Policy Slow Link Detection’ = Enabled and option "0"
‘Configure Registry policy processing’ = Enabled

check box "Process even if the Group Policy objects have not changed"
check box "Allow processing across a slow network connection"

‘Configure Scripts policy processing’ = Enabled

check box "Process even if the Group Policy objects have not changed"
check box "Allow processing across a slow network connection"

‘Configure Security policy processing’ = Enabled

check box "Process even if the Group Policy objects have not changed"
check box "Allow processing across a slow network connection"

‘Turn off Local Group Policy objects processing’ = Enabled

https://p0w3rsh3ll.wordpress.com/2016/08/05/post-exploitation-using-ps-5-0-security-settings-to-hide-code-execution

Computer Configuration Settings under “Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options”:

‘Audit:Force audit policy subcategory settings to override audit policy category settings’ = enabled

45 of 52

Resources for WEF Transport

https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f

https://github.com/palantir/windows-event-forwarding/blob/master/group-policy-objects/README.md

https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection
https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/
https://mva.microsoft.com/en-US/training-courses-embed/event-forwarding-and-log-analysis-16506/Video-Audit-Policy-KBwQ6FGmC_6204300474
https://blogs.technet.microsoft.com/wincat/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows/
https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
http://syspanda.com/index.php/2017/03/01/setting-up-windows-event-forwarder-server-wef-domain-part-13/
https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf
https://github.com/defendthehoneypot ---- DoD STIG GPOs

46 of 52

Resources for Additional/Recommended Auditing

Retrieve Definitions of Windows Event Log messages

https://github.com/iadgov/Windows-Event-Log-Messages

How to monitor special user logins (ie: Domain Admin, Enterprise Admin, System, etc)

https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/

Powershell logging

https://cyberwardog.blogspot.com/2017/06/enabling-enhanced-ps-logging-shipping.html

Process Auditing with CommandLine

https://technet.microsoft.com/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

Tons of ELK configs and parsers

https://github.com/Cyb3rWard0g/HELK/tree/master/docker/helk-logstash/pipeline

Our code for ETW consumption, powershell parsing, targeted dns debug logging, sysmon deployment

https://github.com/neu5ron/WinLogsZero2Hero

47 of 52

Stay Up to Date!

@olafhartong -- blue teamer
@Cyb3rWard0g -- blue teamer
@PyroTek3 -- all around microsoft defense/offense expert
@harmj0y -- powershell & red teamer
@rimpq - curated list of security related stuff
@SBousseaden -- blue teamer
@jepayneMSFT -- foremost microsoft security spokesperson / blue teamer
@ReL1K -- all around red teamer
@Lee_Holmes -- powershell expert & blue teamer
@mattifestation -- powershell & all things microsoft defense/offense
@Carlos_Perez -- all around red teamer
@cyb3rops -- all around blue teamer
@taviso -- hope he does not tweet about a tavis0DAY for software on your network
@mubix -- all around red teamer
@epakskape -- microsoft blue teamer
@JohnLaTwC -- microsoft blue teamer
@davehardy20 -- red teamer
@benpturner -- red teamer
@MSwannMSFT -- microsoft blue teamer
@jackcr -- all around blue teamer
@gentilkiwi -- red teamer
@hexacorn -- blue teamer
@danielhbohannon -- blue teamer
@mattifestation -- blue teamer
@x0rz -- great resource for anything blue & red
@xorrior -- red teamer
@kafeine -- windows exploits used from Exploit Kits and other crimeware
@subTee -- red teamer

48 of 52

HELP US! We have no idea what we are doing!

We have not even scratched the surface.... We need feedback and collaboration!

49 of 52

Questions?

Thanks 4 Listening!�@neu5ron�@acalarch

50 of 52

Resources & Credit (1 of 3)

https://support.microsoft.com/en-us/kb/977519
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
https://adsecurity.org/?p=2604
https://adsecurity.org/?p=2277
http://www.redblue.team/2016/01/powershell-traceless-threat-and-how-to.html
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
https://jimshaver.net/2016/02/14/defending-against-mimikatz/
http://blog.gojhonny.com/2015/08/preventing-credcrack-mimikatz-pass-hash.html
https://joshuadlewis.blogspot.de/2014/10/advanced-threat-detection-with-sysmon_74.html
https://adsecurity.org/?p=2753
https://blogs.technet.microsoft.com/wincat/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows/
https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/
https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection #TODO:READ!
https://www.loggly.com/ultimate-guide/centralizing-windows-logs/
http://www.windowsnetworking.com/blogs/chetcuti/monitoring/using-https-in-event-forwarding-8.html # using HTTPs
https://msdn.microsoft.com/en-us/library/windows/desktop/bb870973%28v=vs.85%29.aspx
https://blogs.msdn.microsoft.com/canberrapfe/2015/09/21/diy-client-monitoring-setting-up-tiered-event-forwarding/
https://mva.microsoft.com/en-US/training-courses-embed/event-forwarding-and-log-analysis-16506/Video-Audit-Policy-KBwQ6FGmC_6204300474
http://windowsir.blogspot.com/2016/03/event-logs.html
http://www.asd.gov.au/publications/protect/Securing_PowerShell.pdf
https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-custom-windows-event-forwarding-logs/
https://gist.github.com/gfoss/2b39d680badd2cad9d82
https://technet.microsoft.com/en-us/library/mt631193.aspx#T0E_BM
https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
http://findingbad.blogspot.com/2016/08/hunting-lateral-movement.html
https://p0w3rsh3ll.wordpress.com/2016/08/05/post-exploitation-using-ps-5-0-security-settings-to-hide-code-execution
adsecurity.org/?p=1275
https://p0w3rsh3ll.wordpress.com/2017/03/20/etw-provider-security-fix-event-id-30
https://blog.didierstevens.com/2016/08/12/mimikatz-golden-ticket-dcsync/
https://blog.netspi.com/getting-started-wmi-weaponization-part-3/
https://automatetheplanet.com/windows-event-log-tips
https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for_11.html
https://blogs.technet.microsoft.com/jpntsblog/2015/10/06/analyze-security-event-log-with-microsoft-message-analyzer/
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
http://www.redblue.team/2015/09/spotting-adversary-with-windows-event.html?m=1
http://www.redblue.team/2015/09/spotting-adversary-with-windows-event_21.html
https://blog.savagesec.com/mitigating-the-threat-of-lateral-movement-7153d6f29707
https://www.youtube.com/embed/Xw536W7kbDQ
https://github.com/williballenthin/process-forest/blob/master/readme.md
https://journeyintoir.blogspot.com/2014/03/exploring-program-inventory-event-log.html?m=1
https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html
https://adsecurity.org/?p=3164

51 of 52

Resources & Credit (2 of 3)

https://technet.microsoft.com/windows-server-docs/identity/ad-ds/plan/appendix-l--events-to-monitor
https://adsecurity.org/?p=3299
https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/
https://sec.ch9.ms/ch9/c6b1/a5a68115-0b75-4524-a8a4-9ff00be9c6b1/WIN433_mid.mp4
https://conf.splunk.com/session/2015/conf2015_MGough_MalwareArchaelogy_SecurityCompliance_FindingAdvnacedAttacksAnd.pdf
https://technet.microsoft.com/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
https://adsecurity.org/?p=3377
https://conf.splunk.com/session/2015/conf2015_MGough_MalwareArchaelogy_SecurityCompliance_FindingAdvnacedAttacksAnd.pdf
https://www.binarydefense.com/bds/reliably-detecting-pass-the-hash-through-event-log-analysis/
https://www.blackhat.com/docs/us-14/materials/us-14-Hathaway-Why-You-Need-To-Detect-More-Than-PtH-WP.pdf
https://www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780
https://onedrive.live.com/view.aspx?resid=A352EBC5934F0254%212074&cid=a352ebc5934f0254&app=Excel
https://adsecurity.org/?p=1515
https://securitynik.blogspot.com/2016/03/learning-about-mimikatz-skeletonkey_96.html
http://security-research.dyndns.org/pub/slides/BotConf/2016/Botconf-2016_Tom-Ueltschi_Sysmon.pdf
https://www.sans.org/reading-room/whitepapers/detection/detecting-malicious-smb-activity-bro-37472
http://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
https://www.youtube.com/embed/uE8IAxM_BhE
https://blog.netspi.com/10-evil-user-tricks-for-bypassing-anti-virus/
https://blog.netspi.com/10-places-to-stick-your-unc-path/
https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#BKMK_LSASS
https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/
https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/
https://dfir-blog.com/2015/12/13/protecting-windows-networks-kerberos-attacks/
www.blackhat.com/docs/us-15/materials/us-15-Metcalf-Red-Vs-Blue-Modern-Active-Directory-Attacks-Detection-And-Protection-wp.pdf
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/index
https://twitter.com/jepaynemsft/status/778318860193828866
https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/
http://windowsitpro.com/systems-management/disabling-logging-anonymous-logon-events
https://www.ernw.de/download/EventManipulation.pdf
https://github.com/marcurdy/dfir-toolset/blob/master/WinAttackDefense.md
https://gist.github.com/subTee/069ad3056c2e4ac809d34f84c38b13bc
https://securitylogs.org/2017/01/17/presentation-on-sysmon-deployment/
https://github.com/russelltomkins/Active-Directory/blob/master/Query-UserAccountControl.ps1
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf
https://msdn.microsoft.com/en-us/library/gg156637.aspx
https://jordanpotti.com/2017/01/20/basics-of-windows-incident-response/
https://subt0x10.blogspot.com/2017/01/shellcode-injection-via-queueuserapc.html

52 of 52

Resources & Credit (3 of 3)

https://www.elastic.co/blog/monitoring-windows-logons-with-winlogbeat
https://www.sans.org/reading-room/whitepapers/logging/evtx-windows-event-logging-32949
https://adsecurity.org/?p=3466
https://adsecurity.org/?p=1929
https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf
https://social.technet.microsoft.com/Forums/office/en-US/6798f4ab-1443-4bdb-9ba5-5fe9c1f9d7bb/can-you-forward-analytic-and-debug-log?forum=winserver8gen
https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
https://adsecurity.org/?p=3458
https://www.cyberpointllc.com/srt/posts/srt-logging-keystrokes-with-event-tracing-for-windows-etw.html
https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/
https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-8b0a86bc
https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-2/
https://blogs.microsoft.com/microsoftsecure/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/
https://www.darkoperator.com/blog/2017/2/17/posh-sysmon-powershell-module-for-creating-sysmon-configuration-files
https://findingbad.blogspot.com/2017/02/patterns-of-behavior.html?m=1
https://blogs.technet.microsoft.com/askds/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos/
https://trimarcsecurity.com/trimarc-research-detecting-kerberoasting-activity
https://wmie.codeplex.com/
https://github.com/PaulSec/awesome-windows-domain-hardening
https://www.microsoft.com/en-us/download/details.aspx?id=13380
https://gist.github.com/vector-sec/f0ba2c46882b24da23d9303ff6e37f09
http://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks
https://dfir-blog.com/2015/10/11/protecting-windows-networks-essential-logging/
https://securitylogsdotorg.files.wordpress.com/2017/01/sysmon-2017-16-1.pdf
https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_26.html
https://github.com/defendthehoneypot
syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo
https://p0w3rsh3ll.wordpress.com/2015/04/21/deploy-sysmon-with-powershell-desired-state-configuration/
https://www.root9b.com/sites/default/files/whitepapers/R9B_blog_005_whitepaper_01.pdf
https://p0w3rsh3ll.wordpress.com/2016/05/17/deploy-wmf5-0-on-windows-7
https://adsecurity.org/?p=2921
https://docs.cuckoosandbox.org/en/latest/installation/host/installation/
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
https://social.technet.microsoft.com/wiki/contents/articles/5947.windows-7-enable-wmi-trace-logging-via-registry-file.aspx
https://www.malwarearchaeology.com/cheat-sheets/