Thanks Kris for a great session today! 

Kris used quite a few queries which are listed below for you to test out and use on your network:

And he also referenced using CTF events or other online resources to learn attacker tactics, so that you can better defend against those attacks in your environments. Here's a few sites that he personally recommends: 

I hope those are all useful to you - let me know in the comments if you have anything else that others might benefit from!

Great seeing all of you on the sessions this week - see you Tuesday for session 4.

Parents Comment Children
  • I copied it from the screen when they showed it. When I run it the Where event IN (4672, 4624,4625) only shows events for 4624, when I remove 4672 and 4624 and leave only 4625, my 4625 results are shown.. Not sure why the loop does not run all the way through. 

    datetime(time, 'unixepoch') Date_Time,
    Count(task_message) Logon_Count,
    JSON_EXTRACT(, '$.EventData.LogonType') LogonType,
    JSON_EXTRACT(, '$.EventData.IpAddress') IP_Address,
    JSON_EXTRACT(, '$.EventData.TargetUserName') TargetUserName,
    FROM sophos_windows_events swe
    WHERE eventID IN (4625) AND time > strftime('%s','NOW','-90 DAYS') AND TargetUserName LIKE '%$$UserName$$%'
    Group BY LogonType;