[PowerShell edition] What the log?! So many events, so little time… Miriam Wiesner - PSCONFEU 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to the Pasha conference Europe 2020 this time virtually I'm Miriam and I'll be presenting what the lock so many events so little time this time in the powershell edition first of all big thank you to all of our sponsors without you PS comfy you would not be possible at all so thank you so much a little bit about me so my name is miriam ISNA and i work as a security program manager for microsoft defender ATP and before I joined this team I worked as a primer field engineer and helped my customers to configure their environments more secure and also to detect anomalies and potential threats and this is actually also where my story starts but before we dive into that just a disclaimer this presentation and the tool is all my personal work is not supported at all by Microsoft so if you have any issues with it any questions anything that you would like to have implemented don't approach Microsoft just go directly to me so when I worked as a primer field engineer to support the customers at Microsoft this was not an accurate image of me when supporting customers this should just demonstrate an attacker because most companies are not aware when they are being attacked most companies are being attacked and only maybe after 200 days if company's detected at all attackers are being detected and the company starts to build measurements or starts to get the attacker out of the environment and this is a problem because the attacker has more than 200 days to do everything what he or she likes to do and then waymond and also gets foothold there and well they get data they can do everything what they want you and also get identities and then when the attacker is already in the environment it is really really hard to get them out and to protect customers and to also provide them with recommendations on what to audit Microsoft has released security baselines which are part of the Microsoft security compliance toolkit so in this security toolkit there are not only baselines there is also a tool to compare the baselines called policy analyzer and if we take a closer look at the baseline itself we see that there are audit policies within so that you can configure additional event IDs that will be generated if you apply this baseline and just be careful when applying this baseline because there are also other settings within that can easily break your environment so audit make a plan and then apply the settings but those audit policies here they just create additional event IDs and so I also was it a customer and I recommend it oh yes we do have these baselines you should apply them to better security audit your environment and so the customer asked me well do you actually know what event IDs will be generated if I apply this baseline do you have a documentation somewhere and I was like well no we don't have a documentation on that and so the customer asked me to write down all the event ideas that would be generated if they apply a certain security baseline so I sat down and worked on the first baseline when the customer approached me and asked me oh and while you're at it could you maybe also write down the events that would be generated if I would apply this baseline they space line this baseline oh and this baseline too and I was like no way because that was way too much work and so I thought about it and I was like okay if I don't have the time to write down every event idea that would be generated by a thousand baselines what can I do and the answer was well I can automate it and this was the time when the first version of event list was born back then it was just an excel sheet with some markers behind there was an option to import baselines and then you can could just generate an event list for a certain baseline so the customer was happy because they could just see what events would be generated and I'm dawn I went to the next customer and the customer was like okay nice event list is great but actually do you know mitre at TAC and will is there an option to include mitre attack into your tool and so if you don't know my door attack yet most of you might have heard about it but for those who have never heard about it just a short explanation so minor attack is a framework to systematically map attack his behaviors into categories to how closing gaps in organizations cyber defense and protection and in this picture you see the techniques map to the data sources now let's get back to the later this is how it looks on the miter check website and you see there are different areas and several techniques within those areas and if you open one of the techniques there are some recommendations not only recommendations also descriptions what the attacker can do within this attack and it just helps organizations to better understand what an attacker is capable of and how they can protect their resources and as I said this picture here just displays the mitre attack techniques map to data sources we are only talking about the windows event locks here as a data source so this is not everything about my attack it is just a small area but it is a very important one so if you build your own sword from the scratch or if you want to detect attackers in your wireman what is important so first of all if you apply a particular baseline what events are being generated secondly if you already know what events are being generated and you want to forward your events into your seam system many customers do have the problem that they don't have all the storage space in the world so maybe it would make sense to only forward the events that are useful for security detection so secondly you want to know which events should be forwarded and last but not least if you have all the data in one place what do you do with that data so some people say ok we keep it for maybe forensic reasons well well if you just keep it for forensic reasons and if you're never hunted within then you are super helpless if there is a breach and if you never worked with the data you will also not work with the data in that moment so last but not least you want to proactively hunt in this data to find out if there is something strange going on and this is how the first version of event list was created so now I move to powershell and created a pouch UI so that the customer or the user could just select a baseline and see directly what events are being generated not only the events they could also find out which mitre attack techniques an area would be affected and there's a lot more that I will just demonstrate later within my demo and this tool was or is already released I really stood somewhat last year and since then I also received some asks okay maybe can you also open it for the field I so that we can automate our own detections our own baselines and yes I worked on it and let me present event list version two now also with PowerShell CLI support so let's first have a look at the user interface you can open it by typing in open event list GUI and the user interface opens you have the option to select a baseline and to immediately see which mitre attack techniques are being populated you can also import your own baselines or Microsoft security baselines or back up GPO you can also delete all baselines or only one baseline and you still have old the very first functionality of generating and event list to see what events would be generated if you apply a certain baseline you can also say okay I want to select several margin techniques and areas and I want to see what events I need to monitor if I want to detect for those techniques by selecting all my attack events let's check it out on the command line so you can see all the commands that are available by running the get command command and to see all the baselines that are available that are already in the database behind you can just run the get baseline name from dB you can also say okay I just want to check for a particular baseline so let's see if this baseline is already in the database so this makes for example sense if you just automate something with this command so let's check if the domain controller for Windows Server 2000 19 baselines already in the database and you see okay there's our output it is in the database so if you just add some none something that is not in the database and run it you just get no output at all you can also remove all baselines in the database so if you run remove all baseline command nothing is in the database anymore but I already prepared some baselines so those are the latest and greatest baselines that you can download from Microsoft and if you just import them the database populates again with all the baselines and once the import is through you can see what these lines are now in the database and let's check so here we go again so if you want to just automate it and you say okay third one here the this one database and this this baseline is out of date and you want to remove it you can select it with the index and remove one baseline and now if you check for the SVM Windows 10 right stone one then you see in the get baselines it is gone so to get all the event IDs that would be configured from a particular baseline you can't use the get baseline event list and type one baseline into it and here we go you get all the event IDs and also the links to the additional information just as nice object you can also say okay I just want to have it in awkward for you to have my old view again so let's move on to the next if we want you for example you remember here in event list you remember generate event list and generate all minor attack events so if we want to perform this from the command line then we have here they get mitre event list command and if we run it we get all the event IDs and all map to the mitre attack techniques and now this takes some time because there are a lot and yes there is still some help needed to fill in the database with all the event ID name and also additional information and if you just want to have it again in the out great view this makes it easier to just check it you can also say I just want this particular baseline pipe to the mitre event list and well it has basically has the same effect as piping in the baseline name here but you can also type in or say I want to see what events are being mapped to these techniques by just mentioning the techniques or just one technique with that within the identity parameter you can either specify the baseline name or the techniques so that was the first functionality and somehow I closed the event list we also have other functionalities within event lists so if you remember my presentation earlier I mentioned that there is another problem when building your sock so if you have limited storage space you maybe don't want to forward all the event IDs that are available so you want to select but this is super annoying to write down every single event ID that you want to forward and to simplify this annoying task I also created the generate generate agent config within event list and now he can just select the for water agent that you would like to create configuration snippet for and here for oxide or other for other XPath based seam systems you can just use the oxide and copy and paste it to your configuration similar for Splunk and yes at this very moment you don't need to restrict event IDs for Microsoft defend ATP so let's see how this looks like on the CLI so we definitely we definitely need the for water name so in this case I choose blank universal for water and we need a technique that we want to create an agent conflict string we also can select several techniques and here we are with all our event IDs that are necessary to cover these techniques also if you select more techniques or another for water named and yes Microsoft Defender ATP still as a easter egg configured but you don't have to only rely on the technique IDs because that is annoying to write down all the technique IDs for one baseline you can also just pipe in one baseline or one GPO and just get your very own agent config for this baseline in event list there is also another possibility so if you say for example I want to select several techniques or several areas and for whatever reason you have I only wanted to create a GPO for those techniques then you can just select the mitre attack techniques and click on generate GPO and now here the the folder picker starts and you can just choose where you want to store your your very new GPO and today here's your brand new T Bo that allows view detecting for all the selected mitre attack techniques we can also do this from the command line so we can also type a baseline name into the get group policy from my techniques but you can also pipe in that techniques into so for example you can pipe in the techniques in there and generate your very own GPL let's check it it's in here and here's your latest GPO you can also only select one identity and just create another GPO for that so in last but not least if you remember the last issue the hunting furries so if you have all the data in one place and you want to hunt through that data I have implemented another solution within an event list and this solution relies on Sigma so what is Sigma Sigma is a converter that converts a generic signature description which is in Yama file into the query language of your choice and to do that I have implemented that generate queries button within the powershell going and you can just just choose the language of your choice and then create your queries you could also just generate the queries in generic Yama former just to see what ten techniques would be covered by what and if you don't have Sigma installed on your system and you just choose the generate Sigma queries then you would just get the syntax that you can pipe into your Sigma installation but if you have Sigma installed on your system and if you have it configured here then you can just choose the option to generate queries and all the queries will be already translated into your seem system of your choice so let's look on the command line to see all the supported seem systems you can just run this command and now if we say ok I want to generate all the Sigma queries for these three techniques then I need to specify the path where the Sigma queries will be written to and the name of your sim system and just run the query and here we go our very own query in the markdown file you get your output as been in markdown and here you see as I said or as I foretold if Sigma is not configured yet you just get the command that you can type into your Sigma back-end you see the yellow files in the yellow folder so you just need to copy the whole folder and you see just the log in here are not locked but you see that queries are just in here if you don't want to have a description and just copy and paste all the queries then you can just use this file ok but you can also type in a baseline as usual and you see oh okay at this moment you see nothing but now you see something so here same thing in green all your not yet translated but command to have it translated later and you can also also of course just type one technique into it and let's see how it looks like if you just specify that you want to have it in the younger format without having the command and you just have a markdown file so you just get the pure llamo output here that you can use for further analysis and do whatever you like to with your llamo output and similar thing goes for baseline or one technique but now let's add the signal path to your configuration so that the system knows where the Sigma path is and so that Sigma can be used let's check yes we configured our Sigma path we can also remove the configuration again with this command but now having the Sigma path configured we can just say ok let's just translate it directly by Sigma and this takes some time so the lock fills as it's working so when all the files are in this folder so also the markdown file then the process is finished let's give it some more seconds within the you see what commands I have been already processed and converted and to the same language of your choice but you also see if for example Sigma does not yet support a specific rule and then you can maybe also develop the rule by yourself or ask for support by the Sigma team and now that it's finished you see the event lock and the event list queries that you can just copy and paste and you'll also see the markdown and now you see that it's just nicely translated into the same language of your choice and you can also of course type in your baseline and also just provide one technique and if you want to remove all the gamma configurations you can of course also do it and also import your own Yamla configurations and also if there was an update on the Sigma platform you can just import all new Yama configurations in there and have it available for your Sigma yeah for your Sigma seem curry creation for your Sigma simpler equation yes and now let's take some time yada-yada-yada and once it's configured or once it's imparted it will be available in the database but we let's switch back to the presentation so are you interested in contributing to event lists do you have any amazing ideas that you would like to see implemented do you have any ideas for new features or do you just want to help to implement cross-platform support and to improve the data so please I would be super happy to have you on the team to improve evangelist just create a pull request or contact me I'm super happy to work with you on this project so what you should have learned in this session is that security auditing is amazing and you should do it way more often event list can help you with that and now we can also automate it all the commands line and last but not least automate all the things I'm super interested to know what your use case is let me know connect with me on Twitter I'm excited on how you will use event list you will find all the slides and also the demo code on the official PS come you github repository and you will find the event list code on my github repository already mark those days June 1 to 4 2021 in your calendars because this is the date of the next PowerShell conference yup and hopefully this will be again in person so I'm super looking forward to seeing you all there I really miss you guys and I'm happy to see you all next year again in ha Nova when Pierce comes EU 2021 takes place thank you so much for your attention have fun with event list and have a great day I see you next year bye bye you

Info

Channel: PowerShell Conference EU

Views: 1,193

Rating: 5 out of 5

Keywords: PowerShell, Core, psconf.eu, psconfeu, keynote, Jeffrey, Snover

Id: nLoL7nj4aqU

Channel Id: undefined

Length: 34min 50sec (2090 seconds)

Published: Mon Jun 01 2020