Download presentation slides: https://www.activecountermeasures.com/presentations/
6:03 Introduction and background, JPCert, integration of pen testers, forensics, and defense, questions for business managers
12:37 How Attack Tactics is trying to bridge the three disciplines, proper settings for command line logging, enabling power shell logging
22:23 Generating events and finding them with Invoke-expression, Group Policy configurations, and answering questions about system configurations
30:17 Exchange logging, Sysmon installation, usage, and results, LSASS Dump, Deep Blue CLI, and Logon Tracer
43:26 Q&A and Closing Thoughts

So we went through an attack in the BHIS Webcast, "Attack Tactics 5! Zero to Hero Attack." Then we went through the defenses in a follow-up webcast, "Attack Tactics 6! Return of the Blue Team," and now we need to have a talk about logs.

Here is the deal, most of the default logging settings for IIS, Exchange, Active Directory and the workstations would have missed the entire attack.

So, let's fix that.

In this webcast we will be walking through some configuration changes required in order to detect attacks. We will also show you exactly what those logs will produce when configured properly.

Finally, we show you tools like LogonTracer, DeepBlueCLI and some cool basic PowerShell to pull out important information from these logs.

- John