Ideas for Incident Response on the cheap with a recipe on DIY windows endpoint monitoring using nxlog, sysmon, and ELK.

1. Incident Response on a
Shoestring Budget
Detecting Attackers on Your Network Using Open Source Tools

2. Who, what, when?
• At BHIS we still rarely see effective logging and monitoring for
detecting attacker activity
• Effective ingress/egress network traffic logs to determine what went
where and when
• Consolidated endpoint logging for determining what ran on what
system and when
• Free and open source can provide this the necessary visibility

3. Bio
• Security Analyst at Black Hills Information Security
• Previous Blue Team, now mostly Red Team
• CitySec Meetup Organizer – TidewaterSec (Hampton, VA)
• Avid OWA enthusiast

4. Standard Disclaimer
• Enterprise deployments of monitoring and logging solutions have to be
sized appropriately for the amount of traffic, logs, and analysis
• This is true for commercial and open source tools
• The open source and free tools discussed in this presentation will scale
to the enterprise
• It still takes planning and resources beyond what
can be covered in an hour
• One size does not fit all
• Your mileage may vary

5. Detection vs. Prevention
• Prevention is ideal but detection is a must
• Preventive measures can be bypassed
• Preventive solutions potentially cost a substantial amount of money
• Many detective solutions can be done for “free”
• Detective solutions are essential in identifying the “full picture” on an
incident

6. Value of Time
• Open source and free software is not cost free if you value your time
• Trade offs for figuring out vs. ability to call the vendor
• If you go with completely free and
open source solutions, you may be on
your own to figure it out and make it
work
• But your security Kung Fu will get
better because of this

7. Core Monitoring Components
• Network Monitoring
• Host Based Monitoring (monitoring edge devices)
• Forensics at Scale (one analyst to many systems)
• Centralized Logging
• Log Correlation and alerting (SIEM)

8. Threat Intelligence?
Cyber Kill Chain®
(lockheedmartin.com/cyber) 1) Reconnaissance
2) Weaponization
3) Delivery
4) Exploitation
5) Installation
6) Command and Control
7) Actions on Objectives

9. Where are you now?

10. Network Monitoring
• Bro vs. Snort - Apples and oranges
• Bro is network protocol decoding at scale
• Forensic ground truth of what happens on the network
• Snort matches packets to signatures to detect potentially bad traffic
• They have different use cases – use the right tool for the job

11. Host Based Monitoring
• With cloud and mobile, increasingly more important to gain edge
device visibility
• Sysmon is an easy win to deploy to Windows Endpoints
• Process creation with full command line
• Hash of process (SHA1)
• Network Connections
• File creation time changes

12. Sysmon
Process Create:
UtcTime: 2017-06-09 00:57:42.516
ProcessGuid: {3f6cf078-f286-5939-0000-001096ec2a00}
ProcessId: 3232
Image: C:WindowsSystem32WindowsPowerShellv1.0powershell.exe
CommandLine: powershell /HeLlo
CurrentDirectory: C:UsersBruce L. Roy
User: WIN-OK4HSK4QBPHBruce L. Roy
LogonGuid: {3f6cf078-30ec-5938-0000-002031df1000}
LogonId: 0x10df31
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D
ParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00}
ParentProcessId: 3364
ParentImage: C:WindowsSystem32cmd.exe
ParentCommandLine: "C:Windowssystem32cmd.exe"

13. Log Consolidation
• Centralize log collection from all edge devices and boundary devices
• Syslog client on Linux systems
• NXLog supports syslog shipping of
Windows Event Logs
• Microsoft Windows Event Collector
• Boundary device syslog (Firewall,
proxies, etc.)

14. SIEM For Free
• Any DIY SIEM solution could be time and labor intensive
• Elastic Logstash Kibana (ELK) / Elastic Stack
• Graylog
• If you have budget and have to choose where to spend, this may be
the best place
• If you are not centralizing logs now start simple
• Consolidate device and endpoint logs into syslog with nxlog

15. Forensics at Scale
• Ability for IR and forensics staff to quickly and remotely acquire
necessary evidence to analyze an attack
• Can be difficult and time consuming to image RAM and disk evidence
for every investigation
• F-Response (not free)
• Possible with PowerShell
• Google GRR
• Incident Response Framework

16. Tool Configuration
End Point Monitoring

17. nxlog
• Endpoint agent to ship logs to a syslog collector
• Support for Windows Event log shipping to remote collector – we’re
going to be sending JSON
• Text based conf file
• Application log selecting EVT IDs 1102, 4103, 4104
• Security log selecting EVT IDs 1102, 4624, 4625
• System log selecting EVT IDs 1102, 7009, 7045
• All of Sysmon log (filtering done in Sysmon config)
https://gist.github.com/deruke/20e77eaa14ad193fd6ab85a76c64cb21

18. Additional EVT Logs
• Windows Logging Cheat Sheet at www.malwarearchaeology.com
• NSA Spot the Adversary List

19. PowerShell Logging
• Module Logging
• Records pipeline execution details
• Script Block Logging
• Records blocks of code as they are executed
• Also records de-obfuscated code execution
• PowerShell 5.0 automatically logs script blocks considered as “suspicious”
• Transcription
• Unique record of every PowerShell session
• All input and output

20. PowerShell Logging
• Administrative Templates>Windows Components>Windows
PowerShell

21. GPO Caveats
• If running Windows 7 Obtain Administrative Templates for Windows
10
• Copy both the requisite files into %systemroot%Policy Definitions
• PowerShellExecutionPolicy.admx
• PowerShellExecutionPolicy.adml
• Copy to sysvolPoliciesPolicy Definititions if performing this as
domain GPO

22. Sysmon Config File
• Install with XML based configuration to
• Start with @SwiftOnSecurity’s file as a base then customize to fit your
environment
• https://github.com/SwiftOnSecurity/sysmon-config
• Filters events based on Sysmon event type
• For every type, sensible exclusions and inclusions to reduce noise or
look for specifically suspicious activity

23. Sysmon Config File

24. Collector
• Ubuntu 16.04 LTS system running Elastic Stack (ELK)
• Logstash ingests incoming syslog from endpoints and outputs to
Elasticsearch
• Kibana web front end to search
and visualize the data
• Scales to Enterprise, but you will
need to plan accordingly
Logstash config: https://gist.github.com/deruke/093e9fa9b666aa211cfdce81921cb3ce

25. Deployment via GPO
• Script Block Logging
• Nxlog installation and/or service start on start up
• Sysmon installation and/or service start on start up
https://gist.github.com/deruke/743a80c89740fdedcb7f8871cdf02536

26. Demo Time

27. What about Prevention?
• Configuration changes can be effective prevention
• Strong password policy
• 15 characters min for users
• 28 characters for service and administrator accounts
• 2FA on all external facing portals
• Restrict administrative access
• LAPS
• Microsoft Tiered Architecture Approach
• Restrict client-to-client communication
• Private VLANs or Windows Firewall

28. What about Prevention?
• Application Whitelisting
• Windows 10 Enterprise features
• Device Guard – attempts to prevent malicious code from ever running, only
known good code can run
• Credential Guard – hardening of key user and system secrets, attempted
mitigation of credential based attacks
• Both use Virtual Secure Mode (VMS)
• Both require planning and deployment

29. Resources
• Network Monitoring
• www.bro.org
• snort.org
• molo.ch
• Host Based Monitoring
• Sysmon - technet.microsoft.com/en-
us/sysinternals/bb545021.aspx
• Sysmon Config:
https://github.com/SwiftOnSecurity/sysmon-config
• Nxlog: nxlog.co
• Blog on setup:
• https://www.blackhillsinfosec.com/endpoint-
monitoring-shoestring-budget-webcast-write/
• Live response at scale
• Google GRR: https://github.com/google/grr
• Log Correlation
• Elastic: https://www.elastic.co/
• Graylog: https://www.graylog.org/
• Microsoft Environment Configuration
• LAPS: https://www.microsoft.com/en-
us/download/details.aspx?id=46899
• AD Tiered Model:
https://docs.microsoft.com/en-us/windows-
server/identity/securing-privileged-
access/securing-privileged-access-reference-
material

30. Conclusions
• Free and Open Source solutions can effectively be used for
monitoring, detection, and live response
• Edge based host monitoring with centralized logging is a powerful
combination
• Configuration changes are an important aspect of preventing
compromise

31. Conclusions
• Derek Banks - @0xderuke
• @BHInfoSecurity – http://www.blackhillsinfosec.com
0x3F