Helpful or Useful External Tools Information

None of the projects below have i created or maintain. Please note that as of 2019 my research in this area has stopped.

SYSMON:

• If your using SYSMON (Highly recommended) and want a starting point for a config file there is a 1 size fits all config file at https://github.com/SwiftOnSecurity/sysmon-config. This will further reduce logs created and sent to SIEM. My fork attempts to take mostly whitelist approach link here https://github.com/ceramicskate0/sysmon-config. Here is information on sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

POWERSHELL SCRIPT BLOCK LOGS:

• Enabling this is required for full SWELF operation and for you the end user to get full visibility into what is going on with Powershell on your endpoint.

REF: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script

REF: https://www.youtube.com/watch?v=LNlxGXGJPl8&list=PL86LRT7At_ApvpCOiq450K6Cl7NDDgjGM&index=14

Windows Defender Exploit Guard

• Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps. If unable to use it in a prevention manner an audit mode exists for most of the products detection's (most of them). A reference by Microsoft can be found at link below.

REF: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard

Enable Task-Scheular Logging

• wevtutil set-log Microsoft-Windows-TaskScheduler/Operational /enabled:true

Detect Injected Thread:

• Used for Memory resident malware (fileless malware) often uses a form of memory injection to get code execution. Get-InjectedThread looks at each running thread to determine if it is the result of memory injection.

REF: https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2

Get-ClrReflection:

• Scans all processes for executables that are in memory regions of MEM_MAPPED type, PAGE_READWRITE permissions, and are not associated with a file on disk. These criteria are consistent with memory-only CLR (.NET) reflection and are considered suspicious.

REF:https://gist.github.com/dezhub/2875fa6dc78083cedeab10abc551cb58

Get-Doppelgangers:

• Scans all processes for memory sections that are MEM_IMAGE but return ERROR_TRANSACTION_NOT_ACTIVE when querying the associated section file name object. This is typical for sections that are associated with rolled back transactions.

REF:https://gist.github.com/dezhub/6d2a3ced01aaf081da841f4761455c5f

DeepBlueCLI:

• DeepBlueCLI 2.0. Eric Conrad, Backshore Communications, LLC. deepblue at backshore dot net.

REF: https://github.com/sans-blue-team/DeepBlueCLI

Revoke Obfuscation:

• Revoke-Obfuscation is a PowerShell v3.0+ compatible PowerShell obfuscation detection framework.

REF: https://github.com/danielbohannon/Revoke-Obfuscation

You want SWELFs creator centrally config SWELF for you (at your own risk of course)

• Use these URL's:

• https://ceramicskate0.github.io/SWELF/examples/Log_Searchs/Searchs.txt
• https://ceramicskate0.github.io/SWELF/examples/Log_Searchs/WhiteList_Searchs.txt
• https://ceramicskate0.github.io/SWELF/examples/Config/ConsoleAppConfig.conf

REF: https://github.com/ceramicskate0/SWELF/wiki/SWELF-Central-Configuration

SWELF Desktop Alerts

• I had a need to be alerted on my desktop when SWELF found something so I wrote something to do that. It will fire via a Scheduled task linked to an event log ID produced by SWELF. I pass what I want it to say via commandline args to the application. Now I have desktop notifications for SWELF detected events.

REF: https://github.com/ceramicskate0/App_to_Fire_Balloon_Tip_on_passed_CMD_Args

Autoruns Plugin (An Idea)

• So you want to run Sysinternal Autoruns every time SWELF does and send it as a log but dont want to do it yourself. You want it like all the other SWELF Plugins (as a log). Well a starting point for doing this yourself could be the information below. I also have a batch script as a Repo (https://github.com/ceramicskate0/Scripts/blob/master/WindowsBatch/CollectAutoRunsRemote.cmd) that will pull them remotely. Both are great places to start when you make your own. I dont recommend just copy paste run here, MAKE ONE THAT WORKS FOR YOU!

REF: https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog

SWELF RESET Script

@echo off
set /p SWELFFilePath= "Please enter the folder path that SWELF resides at (ie C:\SWELF) :" 
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SWELF /f
del %SWELFFilePath%\Config
del %SWELFFilePath%\Log_Searchs
del %SWELFFilePath%\Plugins
del %SWELFFilePath%\SWELF_Logs

References on where to start finding what to hunt for (Searchs.txt):

Help/starting place for Log Hunting

• Enable AMSI Eventlogging

• Living of the Land repo

• Testing and Reference repo

• Red Team Tricks Central

• Video to Setup HELK (4/2019) AND setup advanced Windows Logging

• Enable Detailed DNS Logging