Thanks Kris for a great session today! 

Kris used quite a few queries which are listed below for you to test out and use on your network:

And he also referenced using CTF events or other online resources to learn attacker tactics, so that you can better defend against those attacks in your environments. Here's a few sites that he personally recommends: 

I hope those are all useful to you - let me know in the comments if you have anything else that others might benefit from!

Great seeing all of you on the sessions this week - see you Tuesday for session 4.

Parents
  • Hello,  I am looking for the Logon Events Across Estate Query?

  • I copied it from the screen when they showed it. When I run it the Where event IN (4672, 4624,4625) only shows events for 4624, when I remove 4672 and 4624 and leave only 4625, my 4625 results are shown.. Not sure why the loop does not run all the way through. 

    SELECT DISTINCT
    eventid,
    datetime(time, 'unixepoch') Date_Time,
    Count(task_message) Logon_Count,
    JSON_EXTRACT(swe.data, '$.EventData.LogonType') LogonType,
    JSON_EXTRACT(swe.data, '$.EventData.IpAddress') IP_Address,
    JSON_EXTRACT(swe.data, '$.EventData.TargetUserName') TargetUserName,
    data
    FROM sophos_windows_events swe
    WHERE eventID IN (4625) AND time > strftime('%s','NOW','-90 DAYS') AND TargetUserName LIKE '%$$UserName$$%'
    Group BY LogonType;

Comment
  • I copied it from the screen when they showed it. When I run it the Where event IN (4672, 4624,4625) only shows events for 4624, when I remove 4672 and 4624 and leave only 4625, my 4625 results are shown.. Not sure why the loop does not run all the way through. 

    SELECT DISTINCT
    eventid,
    datetime(time, 'unixepoch') Date_Time,
    Count(task_message) Logon_Count,
    JSON_EXTRACT(swe.data, '$.EventData.LogonType') LogonType,
    JSON_EXTRACT(swe.data, '$.EventData.IpAddress') IP_Address,
    JSON_EXTRACT(swe.data, '$.EventData.TargetUserName') TargetUserName,
    data
    FROM sophos_windows_events swe
    WHERE eventID IN (4625) AND time > strftime('%s','NOW','-90 DAYS') AND TargetUserName LIKE '%$$UserName$$%'
    Group BY LogonType;

Children
No Data