This repo is code used from our talks at Derbycon 7, BSides Detroit 2017, and Bloomcon 0x2.
Slides for the talk are here: https://bit.ly/WinLogsZero2Hero
The 3 live presentations are here:
Bloomcon: https://youtu.be/H3t_kHQG1Js?t=1m44s
Derbycon: https://www.youtube.com/watch?v=8AKxt-5RB6w
BSides Detroit: https://www.youtube.com/watch?v=jiHP0nQoAfs
This script has configurations/examples for:
-
Deployming Sysmon where it will check version and upgrade if new or install if non-existent or restart/start if stopped/disabled/not-running.
-
Cuckoo Sandbox Windows Event collections
-
Logstash enrichment examples for PowerShell
-
ETW (Event Tracing for Windows) implementation for WMI and consumption via WEF
-
DNS Debug Log consumption via WEF
-
Example of collecting ARP table continously via WEF