Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Maik Ro Profile picture
@maikroservice
Jun 1 23 tweets 16 min read Twitter logo Read on Twitter
Day 1️⃣3️⃣ - Becoming a SOC analyst 💙

How to supercharge your AD log collection with sysmon: Image
You have a shiny new toy - a SIEM for your HomeLab 🎉

But some of you wondered, What now?
What do you do with the SIEM and the agents?

Allow me to share:
Generally the @wazuh agents come with some pre-configurations out-of-the-box

You for example have an individual CIS hardening guide for your operating system

find them here: learn.cisecurity.org/benchmarks
@wazuh HUH?
How do I look at the scores of those?

You open the wazuh dashboard and click on one of the agents Image
@wazuh In the bottom right corner you will now see the CIS score

Ouch, 33% out-of-the-box for the windows 10 machine - not great, but kinda expected 😅 Image
@wazuh If you are a system administrator or generally the only one caring about security at your company…

You might want to look into the failed options

If you want another hardening guide, look here: bsi.bund.de/EN/Service-Nav…
@wazuh Ok long story short, there are some tests being run by wazuh without you needing to know anything about security 🌈

But what if you know something about security?!

What can you do with a SIEM?
@wazuh You would usually have two-three stages of an attack from a high-level view

1. Preparation 👩‍🍳
2. Incident/Detection 🕵️‍♀️
3. Cleanup/Postmortem ☠️

I dont like the sound of the last word.

Fear not, we will handle it together
@wazuh The SIEM has a couple of concepts that allow it to detect malware / hackers.

(Detection) Rules

We call the means of detections rules, each rule (usually) identifies 1 piece of malware / malicious action
@wazuh Secret-Time: There is one magical tool that helps defenders with the “fun” that is windows log collection

It is part of the sysinternals collection by @markrussinovich - the name is sysmon

& you can get it here:
technet.microsoft.com/en-us/sysinter…
@wazuh @markrussinovich Download the sysmon64.exe and you could run it with the default configuration

BUT DONT!

There is a repository that was started by the great @SwiftOnSecurity (github.com/SwiftOnSecurit…)

BUT
@wazuh @markrussinovich @SwiftOnSecurity that one is outdated / not maintained anymore 😭

Hold your horses - someone took over the reigns and keeps it alive here: github.com/Neo23x0/sysmon…

or a modular approach:
github.com/olafhartong/sy…

now download the xml raw.githubusercontent.com/olafhartong/sy… Image
@wazuh @markrussinovich @SwiftOnSecurity You are now well prepared, all you have to do is open a (administrator) terminal & run

sysmon64.exe -i sysmonconfig.xml

pointing it to the sysmonconfig.xml that you downloaded ImageImageImageImage
@wazuh @markrussinovich @SwiftOnSecurity Once that is done you should see similar output to the screenshot below Image
@wazuh @markrussinovich @SwiftOnSecurity Wonderful,

Now sysmon is installed and …

Huh? What now?

We need to tell the wazuh agent to monitor sysmon events

but how?!?!!??!!
@wazuh @markrussinovich @SwiftOnSecurity go to c:\windows\ and right click “notepad.exe” - open as administrator

then file → open → open the ossec.conf in c:\program files(x86)\ossec-agent

and change the following
@wazuh @markrussinovich @SwiftOnSecurity below the first Log Analysis entry add:

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile> Image
@wazuh @markrussinovich @SwiftOnSecurity cool cool cool 😎

the last step for today is to change the local_rules.xml on the wazuh server machine
@wazuh @markrussinovich @SwiftOnSecurity <group name="sysmon,">
<rule id="255000" level="10">
<if_group>sysmon_event1</if_group>
<field name="sysmon.image">\\powershell.exe||\\.ps1</field>
<description>Sysmon - Event 1: Bad exe: $(sysmon.image)</description>
<group>sysmon_event1,powershell_exec,</group>
</rule>
</group>
@wazuh @markrussinovich @SwiftOnSecurity add this and restart wazuh-manager with

systemctl stop wazuh-manager
systemctl start wazuh-manager
@wazuh @markrussinovich @SwiftOnSecurity In the next thread 🧵 we go over the command and see what it does

… or you can post it in the replies for the others to see how smart you are! 🤓
@wazuh @markrussinovich @SwiftOnSecurity If you liked this thread
→ follow me @maikroservice for frequent updates on the course(s) I am building

If you want to have regular updates with more text/pictures
(every first Saturday)
→ head to:
subscribepage.io/maikroservice-…
@wazuh @markrussinovich @SwiftOnSecurity @threadreaderapp unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Maik Ro

Maik Ro Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @maikroservice

Maik Ro Profile picture
May 29
Day 1️⃣2️⃣ - Becoming a SOC analyst 💙

How to install SIEM agents on WIN & LINUX in your HomeLab: Image
In the last thread you installed a SIEM in your HomeLab:

But a SIEM in itself is not really useful without one magic ingredient 🪄

Log files 🗃️
Whats a log file? 🪵

What does wood have to do with CyberSecurity? 🤔

Why do we need logs inside containers 📦?

Let us answer these questions now 👀

+ dive into 🤿 logging & monitoring
Read 25 tweets
Maik Ro Profile picture
May 26
Day 1️⃣1️⃣ - Becoming a SOC analyst 💙

How to build your own SIEM for your HomeLab: Image
What on Earth is a SIEM anyway?

A SIEM is a Monitoring System that collects/aggregates Logs - the abbreviation means:

Security Information and Event Management System

It is a critical component in the security infrastructure of any company.

Ok got it...
But why should you care about SIEM for your HomeLab at all?

That is a very good question and it has 1 simple answer.

In your (current or next) job you will need monitoring for your companies' infrastructure.

How do you learn that?

By building a SIEM for your HomeLab.
Read 18 tweets
Maik Ro Profile picture
May 10
How to get started with Infrastructure as Code & Terraform 💙: Image
After reading this thread you are able to:
• take any Amazon Machine Image (ami)
• deploy it without using the GUI on aws ☁️ 

Ready? Set! GO! 🏁🏎️ Image
As a recap we setup aws CLI


and used Packer to build an Ubuntu AMI


You will need at least the aws CLI to finish today’s tasks 🤓
Read 21 tweets
Maik Ro Profile picture
May 8
Day 8️⃣

💙 Blue Team 💙 course

Build automatic VM images in the cloud: Image
In this thread we will walk through the process of creating a VM image on aws ☁️ 

If you follow the steps you will have an AMI (amazon machine image) of a Windows2019 server with a customized setup script
As a recap we completed Step 1 from the image below in the last thread

Now on to step #2 - we want to build a couple different AMIs - at least 1 Windows 2019, 1 Debian/Ubuntu so where do we start?

🕵️‍♀️ 🔎 We find templates… Image
Read 25 tweets
Maik Ro Profile picture
May 7
Day 7️⃣

Building the 💙 Blue Team 💙 course in public

How to setup aws cli: Image
In order to be able to deploy VM images (amazon machine images - AMIs) to aws we need to have some prerequisites setup.

We will walk through step 1 today and the next steps in the upcoming threads Image
First up you need to register an account with your favorite cloud provider

today that is aws 😎

go to aws.com and click on the big orange button in the top right Image
Read 25 tweets
Maik Ro Profile picture
May 5
Day 6️⃣

Building the 💙 Blue Team 💙 course in public

Automated Lab in the Cloud: Image
While building the course I had one recurring question:

How can I orchestrate the lab / eventual exam environment?

🤔 hmmmm…
The requirements are:

+ setup process would be mostly automatic

+ accessible from almost anywhere

+ the learners should have the option to connect via VPN to the environment
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(