Sep 1, 2018
We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!
Thanks to our Patrons!
Gonna be at Derbycon, come see us!
Congrats to our Derbycon Ticket CTF winners!
Winner: @gigstaggart
2nd Place: @ohai_ninja
3rd Place: @SoDakHib
Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t
Ms.Berlin’s Challenge:
potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN
Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7
Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN
Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8
Update on Mental Health GoFundMe: http://www.derbycon.com/wellness
Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.
Missing event issues:
https://github.com/palantir/windows-event-forwarding
https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html
https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows
https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4
https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/
https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/
http://bpatty.rocks/blue_team/weffles.html
Some issues with missing events…
Everyone is affected by this!
WEF & PowerBI is good for small installations.
Any GPOs involved?
Can it be done on a server by server basis?
Can an attacker simply disable the service once initial access is achieved?
Pros and Cons of feeding the WEF output to a MapReduce system?
Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?
Need a config? Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff...
https://www.malwarearchaeology.com/logging/
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec