2018-031-Derbycon ticket CTF, Windows Event forwarding, SIEM collection, and missing events... oh my!

We are back with a new episode this week! We got over our solutions for some of the #derbyCon ticket #CTF challenges and include links to some of the challenges. We talk about Windows Event Forwarder, and all log forwarders seem to losing events!

 

Thanks to our Patrons!

Gonna be at Derbycon, come see us!

 

Congrats to our Derbycon Ticket CTF winners!

Winner:  @gigstaggart

2nd Place: @ohai_ninja

3rd Place: @SoDakHib

 

Mr. Boettcher’s Challenge (SuperCrypto): https://drive.google.com/open?id=1657hBxRbacJRw0svG1nwzZImON3QFn1t

 

Ms.Berlin’s Challenge:

 

potato.file https://drive.google.com/open?id=1Mit7060ipK_JgDDF7sYG3XbMpZ9wyaFN

Taters.zip https://drive.google.com/open?id=1TnA16EiwLw2BberHXct8JpEsntT-GWq7

Potatoes.pcapng: https://drive.google.com/open?id=1_IATBw4OGAc7lUc7NXTcucfwU9NAROYN

 

Mr. Brake’s Challenge: https://drive.google.com/open?id=1gwGkLjWEZ42NlWiw2Eg8IQnnQAxua7B8

 

Update on Mental Health GoFundMe: http://www.derbycon.com/wellness

Thanks to the #Derbycon organizers for their time and patience on answering the questions posed.

 

Missing event issues:

https://social.technet.microsoft.com/Forums/en-US/eddf3f41-db8d-4729-a838-646cbbb45295/missing-events-on-event-subscription?forum=winservergen

https://social.technet.microsoft.com/Forums/en-US/cb34f0d3-22df-498c-a782-d1957f6852ac/forwarded-events-subscriptions-missing-information-in-eventdata-section?forum=winserverManagement

 

https://github.com/palantir/windows-event-forwarding

 

https://answers.splunk.com/answers/337939/how-to-troubleshoot-why-im-missing-events-in-my-se.html

https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows

 

https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

 

https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4

 

https://4sysops.com/archives/windows-event-forwarding-to-a-sql-database/

 

https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/

 

http://bpatty.rocks/blue_team/weffles.html

 

https://blogs.technet.microsoft.com/nathangau/2017/05/05/event-forwarding-and-how-to-configure-it-for-the-security-monitoring-management-pack/

 

Some issues with missing events… Everyone is affected by this!

 

WEF & PowerBI is good for small installations.

 

Any GPOs involved?

Can it be done on a server by server basis?

Can an attacker simply disable the service once initial access is achieved?

 

Pros and Cons of feeding the WEF output to a MapReduce system?

 

Not sure if they've used it, but WEF vs. winlogbeat vs. NxLog?

 

Need a config?  Get some examples here for nxlog, winlogbeat, filebeat, Windows Logging Service and other stuff...

https://www.malwarearchaeology.com/logging/

 

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

2018-030: Derbycon CTF and Auction info, T-mobile breach suckage, and lockpicking

CTF information:

    Official site: https://scoreboard.totallylegitsite.com (thanks Matt Domko (@hashtagcyber) for hosting and allowing us to use his employee discount!)

    Please do not pentest the environment, not DDoS, nor cause anything undesirable to happen to the site.

View the page, submit the flags, leave everything else alone...

 

Derbycon Auction - starts September 8th at 9am Pacific Time

    Slack only -

        Opening bid is $175

        Increments of $25 only

    100% goes to Chris Sanders’ “Rural Technology Fund”

        https://ruraltechfund.org/donate/

 

Amanda’s mental health workshop - AWESOME!  http://www.derbycon.com/wellness/

https://www.gofundme.com/derbycon-mental-health-amp-wellbeing

 

Mandy Logan - hacking her way out of a coma!  https://www.gofundme.com/hacking-recovery-brainstem-stroke

 

https://www.theverge.com/2018/8/24/17776836/tmobile-hack-data-breach-personal-information-two-million-customers

https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html

https://art-of-lockpicking.com/single-pin-picking-skills/

 

Lockpicking - Mr. Boettcher discusses (I have thoughts too --brbr)

Tools:

• Tension Wrench
• Picks

Parts of lock:

• Cylinder
• Driver Pins
• Key Pins
• Springs

Sites:

• https://toool.us/
• https://art-of-lockpicking.com/how-to-pick-a-lock-guide/  - This is a good guide if you can get past the ADs

 

Mr. Boettcher introducing JGOR audio (@indiecom) totally not @jwgoerlich

 

Btw: https://www.flickr.com/photos/36152409@N00/sets/72157700237001915/

https://www.trustedsec.com/2018/08/tech-support-scams-are-a-concern-for-all/

 

https://twitter.com/InfoSystir/status/1032343381328973827

 

 

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

2018-029-postsummercamp-future_record_breached-vulns_nofix

Post-Hacker Summercamp

 

IppSec Walkthroughs

Brakesec Derbycon ticket CTF -

 

Drama - (hotel room search gate)

  AirconditionerGate

  Personal privacy

  Ask for ID

  Call the front desk

  Use the deadbolt - can be bypassed

  Plug the peephole with TP

        Hotel rooms aren’t secure (neither are the safes)

            Probably the most hostile environment infosec people go into to try and be secure/private

 

https://247wallst.com/technology-3/2018/08/13/25-of-known-computer-security-vulnerabilities-have-no-fix/

• This is the company behind a sort-of threat intel site (vulnDB)
• The original marketing site
• • I figured it was marketing… it smacked of a ‘buy our product’ site\, but we don’t have to mention vulnDB

 

https://www.informationsecuritybuzz.com/expert-comments/over-146-billion-records/

    Based on study by Juniper Research

 

https://www.teepublic.com/user/bdspodcast

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Here is a new episode of Brakeing Down Security Podcast!

2018-018-runkeys, DNS Logging, derbycon Talks

HTTPS on www.brakeingsecurity.com, Libsyn RSS syncing of itunes/google Play is over TLS

 

Amanda giving a talk at Diana Initiative

Derbycon Talk - mental health

Volunteer/Topic request form - https://goo.gl/forms/wAiLW5Dh5h0MR5bO2

 

http://www.hexacorn.com/blog/2018/07/29/beyond-good-ol-run-key-part-82/

 

https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/

 

https://blogs.technet.microsoft.com/secadv/2018/01/22/parsing-dns-server-log-to-track-active-clients/

 

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracelo

 

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

Here is a new episode of Brakeing Down Security Podcast!