Today I had the great opportunity of presenting at The Wild West Hackin’ Fest conference presenting on the potential dangers of logging everything. The talk is based off of my previous post “Log Everything Right?” which highlighted risks of logging everything.
In the talk I also discussed options to identify Passwords stored in Sysmon and PowerShell logs using a KANSA IR Module looking for common processes that may contain passwords in the command line.
You can find the slides from my talk — https://docs.google.com/presentation/d/12rMlIRE3136TlRnbhs65V-rqZTo_u-T7raEwUu2P2L4/edit?usp=sharing
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Resources discussed at the end of the talk:
- PowerShell for the Blue Team — https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
- PSScript Analyzer — https://github.com/PowerShell/PSScriptAnalyzer
- BHIS — The logs you are looking for https://www.youtube.com/watch?v=jL6Somex_58
- Sysmon Tampering — https://medium.com/@olafhartong/endpoint-detection-superpowers-on-the-cheap-part-3-sysmon-tampering-49c2dc9bf6d9
- Securing your PowerShell Operational Logs -https://blogs.technet.microsoft.com/kfalde/2017/05/13/securing-your-powershell-operational-logs/
- Protected Event Logging — https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-6
- Sigma — https://github.com/Neo23x0/sigma
- SwiftOnSecurity Sysmon Config — https://github.com/SwiftOnSecurity/sysmon-config