Getting the most out of Windows Events Logs with built-in and free tools (David Szili)
| February 17th, 2017Workshop:
A typical mistake repeatedly seen in many SOCs is that they collect such a large amount of events that at the end they suffocate their SIEM solution. “”Collect all the events!!!”” sounds nice in theory but in practice, less is often more and security teams must select and focus on events that have an actual use-case and provide real value from a security perspective. But what if we do not even have a SIEM and cannot afford one? Luckily, in a Microsoft Windows environment we have built-in and free tools at our disposal to get quickly started with security monitoring and hunting using Windows Events Logs.
In this workshop, we will see how to collect events with Windows Event Forwarding (WEF), go through some of the most important and valuable Windows Events to be collected such as AppLocker, EMET or LAPS events, user and service creation events, PowerShell commands, etc. We will discuss how to properly configure Security Audit Policy Settings and how to set up Sysmon for advanced application monitoring.
Once we have the events we need, we will slice and dice them with PowerShell commands like Get-WinEvent (or with Get-EventLog in case of older Windows/PowerShell versions) and see a few simple PowerShell scripts and modules that can help us as well as some tools that are specifically made for monitoring and detection. Finally, we will use the free Power BI Desktop to build some nice dashboards to give us a better overview of the data we are collecting.
Attendees need to bring their laptop to follow the hands-on parts:
- A laptop with at least 4 GB of RAM and more than 20 GB of free disk space
- Windows 7/8/8.1/10 or Windows Server 2008/2012/2016 installed (on the laptop or in a virtual machine) with PowerShell 4.0 or higher
Bio:
David Szili is a freelancer IT security consultant with penetration testing, security monitoring and incident response background, previously working for companies like POST Telecom PSF, Dimension Data, Deloitte and Balabit.
David has two Master’s degrees in Computer Engineering and in Networks and Telecommunication and a Bachelor’s degree in Electrical Engineering. He also holds several IT security certifications such as GSEC, GCED, GCIA, GCIH, GMON, GMOB, OSCP, OSWP and CEH.
In his spare time, David likes working on hobby electronics projects, develop new IT security tools or sharpen his skills with CTFs and bug bounty programs.