Welcome back, and this is a quick post on something you should 100% be doing with everything you download. You should be verifying the file hash.Let's cover the basics first.A file hash is basically a file which is put through an algorithm to produce a string of characters. There are many different algorithms MD5, SHA1 …
Fine Tuning Part 2 (Free SIEM part 6)
If you have been following along with this project you should be at the stage where you have WEF configured through group policy forwarding events using WinRM to push from endpoints, with nxlog installed and forwarding Events to a Graylog server. We also covered installing and configuring Sysmon. Our test environment looks like this. We …
Windows Event Forwarding Additional Configuration and Fine Tuning. (Free SIEM part 5)
We are going to quickly touch on something which frustrated me for a short while and it is related to the default configuration used by "WECUTIL" when setting up WEF (Windows Event Forwarding). Previously I had always forwarded logs from my endpoints into Graylog using either nxlog/syslog or OSSEC so had never had this issue …
Upgrading To Graylog Enterprise. (Free SIEM Part 4)
We have covered Graylog a fair bit, but to make the most of all it's functionality we need to upgrade to an Enterprise license. Now before you start screaming "I want a FREE solution" Graylog Enterprise is free for up to 5GB of data a day, and if you are using more than that then …
Continue reading "Upgrading To Graylog Enterprise. (Free SIEM Part 4)"
Set Up Windows Event Forwarding with Sysmon using Group Policy. (Free SIEM Part 3)
This is the third tutorial in the "Free SIEM" series. Today the aim is to set up log forwarding to a central log Server from all our end points with Group Policy, and as an added bonus we are going to forward all Sysmon logs as well. For the topology we have a Domain Controller …
Install Graylog on Ubuntu (Free SIEM Part 2)
Hello all, this is the first of a new series of posts which will show you how to setup a free centralised logging solution for any environment. After much trial and error I think I'm set on using Graylog, Windows Event forwarding, Sysmon, and OSSEC/Wazuh. All the official documentation for Graylog can be found here: Graylog …
Continue reading "Install Graylog on Ubuntu (Free SIEM Part 2)"
Sysmon Initial Setup (Free SIEM Part 1)
Recently we have been looking at a lot of Blue Team tools to help increase both the visibility of our network, and our ability to audit events.I recently found a great Sysmon config by @SwiftOnSecurity and decided that is was time to give it a go.The GitHub page for the config file is here and you can download …
Detecting a Cyber Attack Part 4 (Sysmon – Basic malware hunting 2)
In our first malware hunting blog we looked at an incident where a user had downloaded a malicious application from a website. Here we are going to investigate a malicious document which was received via email. This is our second basic investigation , but we will continue to ramp things up over the coming months. …
Continue reading "Detecting a Cyber Attack Part 4 (Sysmon – Basic malware hunting 2)"
Detecting a Cyber Attack Part 3 (Sysmon – Basic malware hunting)
In our first two blogs of this series we installed and configured a basic Sysmon set up with a verbose custom view, now we are going to show how even this simple set up can help with threat hunting and incident response. This is a very basic investigation to start with, but we will continue …
Continue reading "Detecting a Cyber Attack Part 3 (Sysmon – Basic malware hunting)"
Detecting a Cyber Attack Part 2 (Sysmon – Create a verbose custom view)
As covered in the previous blog, sysmon is very powerful for logging and alerting, however the logs are hidden deep in the folder structure of Event Viewer so ideally we want to be able to have quick access to these logs when threat hunting locally on an asset. (We will cover centralising logs later in …
Continue reading "Detecting a Cyber Attack Part 2 (Sysmon – Create a verbose custom view)"
@2codemonte 