This week: Windows, Sysmon, logs, SIEM
Windows #
I learned more about Windows architecture, registry, and core processes, what's normal and what's not.
SANS webinar - Evolution of SOC Automation #
By Erik Van Buggenhout and Wouter Stinkens They both work at Nviso This is was a super interesting demo and explanations. From what I understand it's still difficult to have consistent results which is necessary. A bit like in functionnal programming, if you have the same event, you should get you the same result wheter it's a true positive or a false positive.
Tools and Skills for Security Analysts #
This conversation was super insightful.
A few notes:
-
It costs money to plug all your logs into a SIEM. You don't necessarily have the budget to do that.
-
So you need to know what your most valuable assets are (the crown jewels) to protect that.
-
What would be useful from an investigation mindset ?
-
But sometimes, you don't know you need it until you need it
-
What is important is not the tool but how do you analyze data ? How do you deal with looking through all these logs and read through the noise ?
Logstail academy #
I had the opportunity to get access to Logstail learning platform. The strong point of this platform is the hands-on labs with the possibility of performing attacks and then using the Logstail SIEM to detect the attack. I did the following courses:
- Malware detection
- Ransomware detection
- Port scanning detection
- Malicious Powershell activity detection
- Privilege escalation detection
But the quiz were really too easy though
TIL #
- Obsidian has a callout feature !
- mshta / [[hta]] files /
- System Binary Proxy Execution: Mshta
- Hijack Execution Flow: DLL Search Order Hijacking
Why does a nmap SYN scan needs permission and not a TCP scan? #
For a TCP scan, the TCP handshake is completed, so it's less discreet than a SYN scan, but you don't need sudo permission.
nmap -sT 192.168.1.1During a SYN scan, the TCP handshake is not completed.
nmap -sS 192.168.1.1So you need to create just a SYN packet and creating raw packets is a privileged operation in most operating systems, as it could be abused.