Pushing those relevant events to Elastic using winlogbeat is good and if you don't want agents on all of your machines you could send the events to an event collector and then use winlogbeat to ship them off to Elastic. I've been toying around with using kansa modules and powerforensics scripts on a scheduled task and using Filebeat to ship off the output to Elastic.
Sysmon is also "yet another agent". From a MSSP point of view where you don't have much leverage on how the customer runs his network, it's hard to get deployed. GPO is better in respect of that. However, many orgs don't even know how to use GPOs. Even the Sysadmins. Which is a new set of problems. ;) It's not easy.
Hi everyone, I'm a cyber noob and I am trying all of John's labs however, I don't think I am grasping something with how deepblue cli works. The results seem to be based information from another system (presumably Eric's system used for testing). Therefore, i am asking if anyone could advise how to use it to assess my system? Thanks if anyone responds...
The DeepBlueCLI tool reads event logs and has several different options. Basically: Read local security log -or- Read evtx log file Output analysis in powershell terminal. Everything you need (except the log files, though there are samples) is out here: github.com/sans-blue-team/DeepBlueCLI Best Regards, -Jordan Drysdale | BHIS
Could you use Sysmon event id 10 to see weird processes trying to access lsass to catch it being dumped? This is a sample Splunk query: "EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE "%lsass.exe")"
