Advanced Windows Logging - Finding What AV Missed

00:00 - Intro 01:00 - Explaining the HELK Architecture 02:50 - Showing my VM's Spec's/build 03:50 - Installing HELK 05:40 - Poking around HELK's Logstash container to see how it works 08:40 - Examining HELK Elastalert to view sigma rules 09:08 - The magic behind catching APT! (sorry did it for the keywords) 11:58 - The SafetyKeyz Sigma rule, could easily be avoided 12:58 - Start of Windows 13:20 - Building a Sysmon Config with Sysmon-Modular - https://github.com/olafhartong/sysmon-modular 17:20 - Enabling Other Logging 18:00 - Enabling Command Line Logging with arguments - Computer/Windows/SecuritySettings/SecurityOptions/Audit: Force Audit policy - Computer/Windows/SecuritySettings/AdvancedAudit/DetailedTracking/AuditProcessCreate - Computer/AdminTemplates/System/AuditProcessCreation 20:00 - Enabling Powershell Module and Script Block Logging - Computer/AdminTemplates/WindowsComponents/WindowsPowershell/ - Create Profile.ps1 in c:\windows\system32\WindowsPowerShell\v1.0 -- Variables: $LogCommandHealth and $LogCommandLifeCycleEvent = $true 23:00 - Enabling Task Scheduler History/Logging 23:25 - Downloading and installing WinLogBeat (If you have issues, try version 6.7 of WinLogBeat, 7 is now out and HELK is not ingesting) 27:05 - Logging into HELK and start of searching the logs! 28:45 - Searching Process Create Events (4688) and finding the commands we ran earlier 29:53 - Testing the Powershell logging to detect downloading and executing a script 37:00 - Detecting mimikatz accessing LSASS 39:40 - Deep dive into Mimikatz to identify how it accesses LSASS.EXE to create a signature, what is 0x1010 process grant? 44:30 - Showing the Process Creation stuff in real time. 47:25 - Examining the SysMon Dashboard 48:00 - Viewing the SIGMA Rules and how to clean up noisy ones. ** Really good blog post: https://posts.specterops.io/what-the-helk-sigma-integration-via-elastalert-6edf1715b02 ** 50:00 - Deep dive into the SIGMA Rule setup - python -m elastalert.elastalert --debug