Great to see so many of you on the sessions today - thanks for tuning in and getting stuck into the interactive side. It's really good knowing we have so many keen threat hunters out there!
Here's a collection of resources from Ashek - please do let us know if there's anything else you want to know.
- OS hardening & GPO's: https://www.ncsc.gov.uk/collection/end-user-device-security/platform-specific-guidance/eud-security-guidance-windows-10-1809
-
Extra logging: https://community.sophos.com/kb/en-us/133907
-
A good starting Sysmon config: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
- Common MITRE ATT&CK TTP's and Result enrichment queries used:
https://community.sophos.com/intercept-x-endpoint/i/xdr/hunting-in-the-data-lake-then-pivoting-to-the-device-for-details
https://community.sophos.com/intercept-x-endpoint/i/att-ck/live-discover-mitre-att-ck-classification-and-hunting
Look forward to seeing you all tomorrow for session 2!