2018-031-Derbycon ticket CTF, Windows Event forwarding, SIEM collection, and missing events... oh my!
Published September 1, 2018
|
68 min
    Download
    Add to queue
    Copy URL
    Show notes

    We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!

     

    Thanks to our Patrons!

    Gonna be at Derbycon, come see us!

     

    Congrats to our Derbycon Ticket CTF winners!

    Winner:  @gigstaggart

    2nd Place: @ohai_ninja

    3rd Place: @SoDakHib

     

    Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t

     

    Ms.Berlin’s Challenge:

     

    potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN

    Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7

    Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN

     

    Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8

     

    Update on Mental Health GoFundMe: http://www.derbycon.com/wellness

    Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.

     

    Missing event issues:

    https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen

    https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement

     

    https://github.com/palantir/windows-event-forwarding

     

    https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html


    https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

    https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows

     

    https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

     

    https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4

     

    https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/

     

    https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/

     

    http://bpatty.rocks/blue_team/weffles.html

     

    https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/

     

    Some issues with missing events… Everyone is affected by this!

     

    WEF & PowerBI is good for small installations.

     

    Any GPOs involved?

    Can it be done on a server by server basis?

    Can an attacker simply disable the service once initial access is achieved?

     

    Pros and Cons of feeding the WEF output to a MapReduce system?

     

    Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?

     

    Need a config?  Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff...

    https://www.malwarearchaeology.com/logging/

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast

    #Spotifyhttps://brakesec.com/spotifyBDS

    #RSShttps://brakesec.com/BrakesecRSS

    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec

    #SoundCloudhttps://brakesec.com/SoundcloudBrakesec

    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

    https://brakesec.com/BDSPatreon

    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

      15
      15
        0:00:00 / 0:00:00