<!-- .slide: class="title" --> ## The Windows Event Logs <img src="windows_event_logs_title.svg" style=""> --- <!-- .slide: class="content" --> ## The Windows Event Logs * The original and main use case of Sigma Rules <img src="traditional_siem.png" style=""> --- <!-- .slide: class="content" --> ## The Windows Event Logs * Pros: * Built into the system * Many solutions for forwarding events * Cons: * Tradeoff between events to forward and network traffic/scale * Detection happens in SIEM so does not work offline * Long lead times between detection and response --- <!-- .slide: class="content" --> ## Exercise ### Write the previous detection as a Sigma Rule * Create a new notebook - Use Default Template <img src="new_notebook.svg" style=""> --- <!-- .slide: class="content small-font" --> ## Exercise ### Add a new VQL Cell <img src="add_cell.svg" style="max-height: 60vh"> --- <!-- .slide: class="content small-font" --> ## Exercise ### Write a Sigma rule to target PsExec! <img src="writing_sigma_rule.svg" style="max-height: 60vh"> --- <!-- .slide: class="content small-font" --> ## Exercise ### Write a Sigma rule to target PsExec! ```sql LET Rules = ''' title: Detect PSExec Service logsource: product: windows service: sysmon detection: eventId: EventID: 1 selection2: Image|re: psexesvc.exe$ condition: eventId and selection2 ''' SELECT * FROM Artifact.Windows.Sigma.Base(SigmaRules=Rules) ``` --- <!-- .slide: class="full_screen_diagram small-font" --> ## Exercise ### Test the new rule <img src="writing_sigma_rule_test.png" style=""> --- <!-- .slide: class="content" --> ## Using Curated Rule Sets for triage * Quickly determine what happened! * Rules can be fairly noisy * Can take a long time! --- <!-- .slide: class="full_screen_diagram small-font" --> ## Using Curated Rule Sets for triage ### The Windows.Hayabusa.Rules artifact <img src="hayabusa_rules.svg" style=""> --- <!-- .slide: class="full_screen_diagram small-font" --> ## Using Curated Rule Sets for triage ### Collect the artifact from the endpoint! <img src="collecting_hayabusa_rules.svg" style=""> --- <!-- .slide: class="full_screen_diagram small-font" --> ## Using Curated Rule Sets for triage ### Collect the artifact from the endpoint! <img src="collecting_hayabusa_rules_logs.svg" style=""> --- <!-- .slide: class="full_screen_diagram small-font" --> ## Using Curated Rule Sets for triage ### Inspect the results <img src="collecting_hayabusa_results.svg" style=""> --- <!-- .slide: class="full_screen_diagram small-font" --> ## Using Curated Rule Sets for triage ### Stack results: See what type of rules fired! <img src="collecting_hayabusa_stack.svg" style=""> --- <!-- .slide: class="full_screen_diagram small-font" --> ## Using Curated Rule Sets for triage ### Inspect hits <img src="collecting_hayabusa_stack_hits.png" style=""> --- <!-- .slide: class="content" --> ## Using Curated Rule Sets for triage ### Summary * The curated rules are very noisy! * This is OK for triage purposes * We just want to get the `vibe` of the compromise! * We can drill down later with specific artifacts. * Performing the triage as a hunt can quickly triage the entire environment! --- <!-- .slide: class="content small-font" --> ## Using Curated Rule Sets for triage ### Triage with on-endpoint Sigma evaluation vs. SIEM with log forwarding * SIEM log forwarder needs to balance tradeoffs: * Which event logs to forward * Only forwarded events can be triaged * Higher storage costs * Higher bandwidth from endpoint * Endpoint must be online * On endpoint evaluation: * Can access obscure or very noisy event logs 🙂 * Can be done at scale 🙂 * Efficient network transfers 🙂 * Susceptible to log file erasure! 😟 --- <!-- .slide: class="content" --> ## Customizing the Velociraptor Artifacts ### Managing your own Sigma Rules * Sigma rules need tuning in many cases: * Some Sigma Rules are too noisy for your environment * We want to remove them * Custom Sigma Rules need to be added to your environment * Some Rules need to be modified. --- <!-- .slide: class="content small-font" --> ## Exercise: Create your own custom pack! ### Download the artifact pack for the `Windows.Hayabusa.Rules` artifact <img src="customizing_artifact_1.svg" style="max-height: 60vh"> --- <!-- .slide: class="full_screen_diagram small-font" --> ## Exercise: Create your own custom pack! ### Unpack it on the disk ### Create a new directory, add your new custom rule into it. <img src="customizing_artifact_2.svg" style="max-height: 60vh"> --- <!-- .slide: class="content small-font" --> ## Exercise: Create your own custom pack! ### Repack the artifact into a new artifact. <img src="customizing_artifact_3.svg" style="max-height: 60vh"> --- <!-- .slide: class="content small-font" --> ## Exercise: Create your own custom pack! ### Import the new artifact <img src="import_custom_artifact.png" style="max-height: 60vh"> --- <!-- .slide: class="content small-font" --> ## Exercise: Create your own custom pack! ### Collect new artifact <img src="custom_artifact_results.png" style="max-height: 60vh">