I’ve been using Sysmon for about 2 years now and it’s one of my favorite Sysinternal tools. My use-cases include and are not limited to the following: Finding unknown &… [Continue Reading]
Author: Pablo Delgado
Critical Security Control # 5: Removing local administrators once and for all
It’s easy to get caught up with shiny and costly “Next-gen” products that will keep your environment secure from 0-day exploits; however, before you spend all of your Security budget,… [Continue Reading]
Advanced Sysmon filtering using Logstash
When I initially deployed Sysmon earlier last year I was amazed by the amount of details it gathered as well as the huge amount of logs that my ELK stack… [Continue Reading]
Sending Windows Event Forwarder Server (WEF) Logs to Elasticsearch (Winlogbeat)
Now that you are sending all of your logs to your Windows Event Forwarder, it’s time to forward them to Elasticsearch so we can visualize them in Kibana and make… [Continue Reading]
Setting up Windows Event Forwarder Server (WEF) (Domain) – GPO Deployment Part 3/3
Now that you have setup a Windows Event Forwarder collector + Sysmon subscriptions, you are now ready to collect these logs from your endpoint. We will now create a group… [Continue Reading]
Setting up Windows Event Forwarder Server (WEF) (Domain) – Sysmon Part 2/3
This is part 2 in which we will be setting up Sysmon in our WEF server. As you saw in the previous article, there is no option for Sysmon subscription… [Continue Reading]
Setting up Windows Event Forwarder Server (WEF) (Domain) Part 1/3
This will be a 3 part series in which we will setup a Windows Event Forwarder server which will collect event logs from Domain-joined Windows workstations based on subscriptions that… [Continue Reading]
Deploying Sysmon through Group Policy (GPO) *Updated scroll down*
Here’s a way to deploy Sysmon to all of your domain endpoints using Group Policy. Step1: Create sysmon install batch file First create a batch file that will be placed… [Continue Reading]
Incorporating Virustotal Data to Elasticsearch
Now that we’re collecting logs from various sources including Sysmon, we have access to file hash information. A while back I came across this SANS article on incorporating Virustotal to… [Continue Reading]
Setting up Elasticsearch 5.x – Monitoring and Visualizing Logs with Kibana Part 3/3
At this point you have setup the Elasticsearch stack along with a Windows host in which you are collecting logs using Winlogbeat. Now it’s time to start visualizing and searching… [Continue Reading]