Enhancing Security with Sysmon and AppLocker

Implementing Sysmon and Applocker

Estimated read time: 1:20

Summary

In this webcast by Black Hills Information Security, the focus is on implementing Sysmon and AppLocker to enhance security and improve event logging. The speakers discuss the inadequacies of traditional Windows logging and how Sysmon provides improved visibility on various processes and network activities. They also explore the role of application whitelisting through AppLocker, highlighting its benefits in reducing the attack surface by denying unauthorized applications. The session covers the setup and configuration of these tools, offering a practical guide for implementing them in organizational IT environments.

Highlights

Sysmon logs much more detail than standard Windows logging, capturing key events like process and network activities. 🔍
AppLocker helps reduce security risks by only allowing authorized applications to run, significantly lowering potential attack vectors. 🚫
The webcast provides detailed steps to configure and deploy Sysmon and AppLocker effectively, even in large enterprise environments. 🏢
Additional configuration options, like those from SwiftOnSecurity, enhance Sysmon’s utility by filtering noise from logs. 🛠️
Sysmon and AppLocker are free to use, yet powerful tools that can be deployed progressively for optimal security without breaking the bank. 💰

Key Takeaways

Sysmon drastically improves visibility into system processes and network activities compared to traditional Windows logging. 🧐
AppLocker provides a robust method for application whitelisting, effectively reducing unauthorized software execution. 💡
Implementing these tools does not require expensive third-party solutions, making them cost-effective options for enhancing security. 💵
Starting small and rolling out these configurations gradually can safeguard against inadvertent disruptions. ⚙️
Despite occasional evasement by sophisticated attacks, these solutions significantly mitigate the majority of threats encountered. 🎯

Overview

This webcast by Black Hills Information Security dives into the security enhancements achievable with Sysmon and AppLocker. Sysmon is introduced as a tool that significantly leaps over traditional Windows logging, offering detailed insights into system processes, network activities, and execution information vital for thorough security audits.

AppLocker, on the other hand, is portrayed as an effective whitelisting tool that restricts software execution to trusted applications only, dramatically cutting down on potential entry points for malware. The presentation covers setup steps, integration methods, and offers troubleshooting insights, making it easier for organizations to implement these tools.

Both tools, despite having some bypassable elements, present an affordable, immediate improvement to an organization's security posture. The engaging discussion and demo formulates a solid case for their adoption, emphasizing their effectiveness in mitigating everyday security threats.

Chapters

00:00 - 03:00: Introduction and Overview The introduction provides a brief overview of the webcast topic, which focuses on AppLocker and SysMon. The speaker humorously mentions feeling awkward due to sitting for a long time and discusses the frequent consideration of AppLocker and SysMon in many webcasts related to recommendations.
03:00 - 10:00: Importance of Sysmon and AppLocker The chapter discusses the importance of using Sysmon and AppLocker as tools for improved event logging and security, even though event logging is often criticized for its ineffectiveness. The webcast aims to provide an implementation guide for both tools, focusing on their deployment strategies. These recommendations are frequently suggested to Black Hills Information Security customers.
10:00 - 17:00: Setting Up Sysmon The chapter titled 'Setting Up Sysmon' includes an engaging discussion during a webcast where viewers are encouraged to ask technical questions. The host highlights the opportunity for attendees to receive free consulting as experts are available to provide competent answers. The excitement of the webcast is underlined by mentioning a record of answering 240 questions in 57 minutes, emphasizing the expertise and value offered to participants.
17:00 - 25:00: Demo: Implementing Sysmon The chapter titled 'Demo: Implementing Sysmon' includes a discussion among testers including CJ and Jason. They mention an event called 'Backdoors and Breaches' scheduled for September and express an openness to providing more information and links for ordering a copy. The focus appears to be on engaging testers and preparing for the event, emphasizing a non-commercial approach.
25:00 - 30:00: Sysmon Logging and Analysis The chapter covers the topic of Sysmon logging and analysis. It appears to also discuss activities related to conferences, possibly highlighting promotional strategies for a specific product or service. The speaker talks about distributing a gaming product, including two decks and a set of dice, both as a purchasable item and as a free giveaway at conferences. The speaker notes that the game was well-received at conferences like Blackhat and Def Con, and mentions feedback about misspellings in the product, indicating a process of refinement and improvement based on user experience.
30:00 - 37:00: EDR Solutions and Sysmon The chapter titled 'EDR Solutions and Sysmon' appears to involve a discussion about refining content for a presentation or publication. Feedback was received, and while most of it was positive, there was some disagreement over the use of the word 'asinine,' which was considered harsh. However, despite this feedback, the decision was made to retain the word in the final version. This presentation or publication is related to events such as Derby Con and Wild West Hacking Fest, where it will be available. Additionally, the webcast mentioned in this chapter is sponsored by Black Hills Information Security.
37:00 - 44:00: Automating Sysmon Deployment The chapter discusses the various services offered by the company, including pen testing, red teaming, hunting, webcasts, open source tools, blogs, and incident response. They emphasize their readiness to assist during an incident. Additionally, they highlight new features in AI Hunter, such as investigation capabilities that allow users to click on IP addresses for further research.
44:00 - 50:00: Introduction to AppLocker The chapter introduces AppLocker and discusses setting up beacon thresholds for alerting, exporting results, and bug fixes related to Syslog and Slack alerting. Version 34 of the system is mentioned, along with an open-source tool for threat hunting named Rita, which is available for further discussion.
50:00 - 59:00: Demo: Configuring AppLocker The chapter titled 'Demo: Configuring AppLocker' briefly mentions a potential setup for a demo which the speaker plans to handle personally due to reduced travel. Additionally, it highlights the Wild West Hackin' Fest event, noting that training sessions start on October 22nd, followed by the main conference from October 23rd to 25th. The conference is described as highly interactive, being among the most hands-on hacking conferences worldwide, although DEFCON is mentioned as also offering impressive hands-on labs.
59:00 - 70:00: AppLocker Rules and Policies The chapter 'AppLocker Rules and Policies' introduces the reader to an intriguing environment filled with various hacking villages, including wireless, SDR, and embedded device hacking. It highlights unique challenges such as the 'wall of doors,' where participants can engage in diverse methods of bypassing door security, from traditional lock picking to electronic bypass techniques. Additionally, the event promises to provide a fun and engaging experience, culminating with a chuck wagon steak dinner.
70:00 - 76:00: AppLocker Bypass Techniques The chapter titled 'AppLocker Bypass Techniques' begins with the presenter discussing the need for improvement in webcasts and setting the stage for better understanding. The problem statement focuses on the increasing complexity of the MITRE ATT&CK framework. This framework is frequently mentioned within the cybersecurity industry, especially at major conferences like BlackHat, and is becoming a standard reference across various enterprise solutions. The chapter highlights the challenges faced by organizations in keeping up with this rapidly expanding and evolving matrix.
76:00 - 80:00: Implementing AppLocker The chapter titled 'Implementing AppLocker' discusses the issue of vendors creating expensive products to prevent cyber attacks, while emphasizing that there are many free or simple hygiene practices that can help detect and prevent such attacks. The webcast aims to address the challenges in detecting various types of attacks and advocates for using cost-effective methods like AppLocker as part of a comprehensive cybersecurity strategy.
80:00 - 91:00: Q&A Session This chapter titled 'Q&A Session' discusses various strategies to defend against cybersecurity threats particularly focusing on attacks involving lateral movement and defense evasion techniques. It emphasizes the importance of proper logging, although it notes that even effective event logging may not detect all threats. The chapter introduces tools like 'Sis Mon' and 'AppLocker' to enhance security. 'AppLocker' is highlighted for its role in application whitelisting, which can prevent a significant number of attacks. However, it acknowledges that it does not block all threats and mentions that bypass techniques will be discussed later. Overall, the chapter underscores the complexity and necessity of application whitelisting in protecting systems.
91:00 - 100:00: Conclusion and Next Steps This chapter focuses on the importance of framing questions correctly when dealing with executives in an organization. It emphasizes the need for proper problem statements and provides sample questions such as 'Are our tools working?', 'What can we detect?', and 'What are our gaps?' It also humorously critiques the perceived inadequacy of Microsoft's locking mechanisms. Overall, the chapter outlines the steps to engage executives effectively by using relevant and probing questions.

Implementing Sysmon and Applocker Transcription

00:00 - 00:30 [Music] all right everybody welcome to our webcast on app Locker and sis Mon so the reason why this is awkward other than the fact that I've been sitting in this chair and it's very hard is we've been talking about doing AppLocker and sis monde and almost every single more webcasts from a recommendations
00:30 - 01:00 perspective we're like well you should use whitelisting hey use this mahn because event logging sucks and even in our last webcast that we did with Jordan we talked about it briefly and setting it up and it's it's we've never had a webcast on that topic so in this webcast we're gonna go through talk about app Locker we're gonna talk about system owned I'll go through implementation of both live and then we'll talk about deployment strategies for app Locker and system on this is also key especially for our customers at Black Hills information security because these two recommendations show up all the time in
01:00 - 01:30 our pen test reports also on this webcast we have a number of people that are answering questions in the chat so if you have a question a technical question you can ask somebody who actually is competent from a technical perspective and not just somebody who's really good at talking into a camera so ask your questions and we will be answering them Jason what is the record so far for the number of answered questions in a webcast two hundred and forty and fifty seven minutes two hundred and forty and fifty seven minutes that's free consulting folks so
01:30 - 02:00 take advantage of it we have a lot of testers here we've got CJ here we've got Jason here so we're all over the place as always this is brought to you by backdoors and breeches it's coming up in September so please type in backdoors and breeches in the questions window and we will throw out a link whenever we're done and we get it up someplace where we can sell it and you can order a copy we're trying really hard to not make money at backdoors and breeches just to
02:00 - 02:30 be honest we're probably gonna charge like 20 bucks for two decks and a set of dice to go with that we're looking into what that's actually going to be and it'll be free at every single conference that we attend so if you don't want to be for just come to a con come up to our table and grab a copy and we will hand it out I was playing it quite a bit in RSA not RSA at blackhat and then at Def Con I got to play a whole bunch of games and people seemed to enjoy it and then BB went through the entire deck and pointed out all the misspellings that
02:30 - 03:00 were in the deck and he didn't like words like what was that word there's a word he said it was a best night asinine yeah he said it was a bit bit harsh but we're keeping that word at everything else he said was fantastic great feedback from him at Dakota that'll be making it in and it will be available at Derby con and we'll definitely be available at Wild West hacking fest so if you want a free copy go get a ticket for a while that's not confessed also this webcast is brought to you by Black Hills information
03:00 - 03:30 security we do pen testing red teaming hunting webcasts open source tools blogs and we also now do Incident Response and if you are in the middle of an incident you got a problem please contact us we're happy to assist any way we possibly can this also brought to you by AI hunter and we added a bunch of really cool features in AI hunter we added in investigation every single IP address you can click on it and open up additional websites or go into deep dive and do research on those IP addresses
03:30 - 04:00 we've set up beacon thresholds for alerting so you can that's a beacon of like less than fifty percent less than 75 left that less than 80 percent so you can view it also exporting results we now have that set up very well a couple bug fixes we got syslog we had a couple bugs with syslog and slack alerting that was fixed so we got version 34 if you are interested and you want to sit down and actually have an hour where I can talk about Rita which is the open source free tool for threat hunting that we've created or a hunter just type in
04:00 - 04:30 demo and I will personally contact you and we will set up a demo at some point in the future because I'm not traveling as much as I used to travel so that's just fantastic also brought to you by Wild West hack and fest the training starts the 22nd of October and the conference begins the 23rd through the 25th we say that this is the most hands-on hacking conference in the world it's not true it's one of the most hands-on hacking conferences in the world DEFCON has a lot of amazing hands-on labs however for
04:30 - 05:00 the size can't beat it we have a wireless hacking village SDR hacking village we've got embedded device hacking we have I think the only wall of doors we have this challenge where you have to break in to multiple different door types from using you know full-on shims to keep picking or from the lock picking - electronic bypass it's all there and we also provide everybody with a chuck wagon steak dinner so check it out it's gonna be a lot of fun and I will
05:00 - 05:30 personally be exhausted so let's get in we've got a problem statement trying to get better at these webcasts and kind of setting the stage a little bit before we get started so the problem statement is when you're looking at something as daunting as the miter attack technique matrix and this thing is getting way way way way bigger all the time in fact most vendors that you saw on the floor at blackhat had at least some mention of the miter attack technique matrix especially on the enterprise side and we get into a problem where a bunch of
05:30 - 06:00 vendors look at this and they're like hey we should totally come up with a product that stops a lot of these attacks and charge people a bajillion dollars for stopping a lot of these attacks and that's a problem because there's a lot of free things that you can do in fact just good hygiene that you should be doing as part of shutting down a lot of these different attacks or at least alerting on these attacks and I think this webcast will help deal with the problem of how hard it is to detect a lot of these different types of
06:00 - 06:30 attacks lateral movement defense evasion techniques especially whenever you don't have proper logging in place in fact even with proper quote unquote event logging you're not going to detect a lot of these attacks so that's where sis Mon comes in and when we get into AppLocker we get into application whitelisting it'll actually stop a large number of these attacks not all of them we're going to talk about some bypass techniques a little bit later but honestly whenever you move into the application whitelisting realm a whole bunch of different attack techniques
06:30 - 07:00 just fall off the table immediately so let's get started so the executive problem statement I always like to come up with questions so when you're dealing with executives at your organization how can you actually frame things proper so our tools currently working what can we detect and we had the same slide a couple of weeks ago and I'm gonna try to use this again for these are questions that you can bring to your executives and questions like our tools working what can we detect what are our gaps why does Microsoft locking suck so bad it's just so horrible what existing tools do
07:00 - 07:30 we have what do we have to buy and do we actually need to purchase something expensive and these are great questions that executives are going to ask you so if you're looking to bring in a really expensive toolset they're gonna want to say well what about our existing toolset why is the logging just horrendous and Microsoft it doesn't seem like it should be that way there are Microsoft it they're logging should be just fine it must be our IT team is actually incompetent so hopefully we can answer some of these questions speaking of questions here I have a quote from the
07:30 - 08:00 executive I'm gonna try to put up a different quote of what this executive is actually thinking whenever I do these webcasts and it's this one this way it goes maybe I could take the sequel police a shift to the command headquarters to get a time pod so the question is who ever it can tell me the name of the videogame they can type it in first that that particular executive is playing right now whenever we get the copies of backdoors and breaches we will ship you out a copy of backdoors and breaches so maybe I could take the sequel police's ship to the command
08:00 - 08:30 headquarters to get a time pot and by the way I need the whole title there's a number of titles in the series I need the actual whole title for the for somebody to win and I'm sure we already have a winner and I don't know why that came into my head when I was writing the slides at 4:00 a.m. that this was somehow an important thing so let's talk about this maaan so basically Windows logging is just horrific and if you go back to our last webcast and we talked about all the different configuration settings that you need to put in place in order to do proper Windows event
08:30 - 09:00 logging and then even when you think you have it properly set up all you're missing your eye is logs on your exchange servers and you can use etw new ztw actually giving you everything that you need and it just gets out of control and you may be logging a certain thing but you may not have it configured properly to log certain things like token passing or token impersonation in Active Directory it's bad right so this maaan makes it better and this is awesome because sis Mon allows us to set up and get like this amazing logging and it's done in like five minutes this is like
09:00 - 09:30 the heroine of information security tools that we can actually leverage and we can use so I'm gonna go to demo because hey why not so I also have some backup slides there so the way we do this is we fire up chicken of the VNC and I hang up my phone because my brother is calling me and should know that I'm on a webcast but all right so I'm gonna bring up another computer traditionally on our webcast one of the problems we had was zooming or lack of zooming because GoToWebinar isn't very good
09:30 - 10:00 zooming at all so turning on system on is actually just like super duper easy if i zoom in here and go up you can basically runs the system on executable except EULA you can install a config now in this particular example I am using Swift on Security's configuration for system on and specifically what that does is it does filtering so sis Mon is gonna log a whole bunch of network connections processes that are starting processes that are shutting down and there's gonna be a ton of processes and what we want to do is filter out the
10:00 - 10:30 quote unquote white noise so we can get down specifically what applications started and when did those applications actually start and I'll talk about how to actually implement this here in just a couple of moments and how you can implement it relatively easily on a domain environment the other thing I want to call out is if you implement sis Mon as you're gonna see here in a moment it isn't all that chatty it doesn't generate a tremendous amount of noise which makes it really cool whenever you're trying to establish your proper
10:30 - 11:00 logging so I'll zoom out and I'm going to copy this specific line here because trying to type and talk makes me nervous and I'm gonna open up a command prompt on this particular computer system as administrator I click run as administrator then I'm gonna zoom in and I'm gonna CD into the tools directory and then I'm going to run this Mon that's it that's all this one's running there we go so what it basically did is
11:00 - 11:30 it started up the system on service says it started by Marcus on have a true I'm pretty sure looked at the event logging in Windows and like no that's that's a train wreck we we don't want to do that so we have sis Mon up and running on this computer system and now we can go to our event logs on this computer we could see what exactly it is that this Mon gets you that is so absolutely awesome now the event logs that you normally get our application security setup system forwarded events that's what we have up here in the upper left hand corner
11:30 - 12:00 however to view our system on logs we're gonna have applications and services let me zoom in so you can see that I'm going to go to applications and services and then oh wow this is gonna give people like totally like fits we're gonna go Microsoft Windows and we scroll all the way down and we get to system on it's all alphabetical sis Mon to do there we
12:00 - 12:30 go and we click sis Mon and then we select operational and these are the logs that we get from sis Mon so I'm gonna filter or if I'm just gonna clear the event logs right now for system on so I've been doing this stuff quite a bit today in preparation for this webcast so we're gonna clear out our logs and then let's actually get some malware on this computer system and execute it so to do that I'm gonna use Chrome here and we're just going to surf to a system where I
12:30 - 13:00 stood up just a simple little payload backdoor listener on the computer and I went to this system ADHD I need to get the systems team an update of ADHD I just misspelled ADHD what the hell there we go that's better try to pay attention keep up so I have a little meterpreter session listening here and I stood up a little cloned website kind of
13:00 - 13:30 outside of the realm of what we're talking about today but I just wanted to set up some malware that we could execute we could show you what it looks like whenever malware runs properly and I'll put in my IP address if I can remember my IP address that'll be fantastic so this HTTP colon forward slash to 172 16.1 one 2.11 ford slash msf dot exe I think that's the right IP address we'll go ahead and hit enter see if it shows
13:30 - 14:00 up see if maybe the IP address shifted there we go alright so we downloaded the malware that I created and if I run it it says this might be dangerous well yes of course it's dangerous it's called MSF dot exe and then in the background if I go over to my ADHD system I actually have a meterpreter session open on that computer so if I want to interact with that meterpreter session I write sessions - i3 and I am in my butter butter
14:00 - 14:30 session so now I can run LS and I can see the different files I'm on the computer system life is good no mean trick getting malware on this computer didn't do anything super fancy at all just basically executing malware because the goal is to show you what system on actually shows us whenever we fire off the logs so let's refresh our logs here and we have a bunch of logs because I've done a lot of different things so the first thing is if I go back here you can
14:30 - 15:00 see that chrome dot exe was started and that's because I started chrome dot exe so we actually have chrome dot exe that fires up then you're gonna see chrome dot exe chrome Don exe and then you're gonna see MSF dot exe so if I take this and I pull this particular one up a little bit you're gonna get additional information about what's going on and there's some things that I absolutely love about this first it gives you the full path for where that particular executable was
15:00 - 15:30 downloaded which is great we've got the time in Utah coz Universal Time is awesome yay it gives us the process ID gives us the executable the full path and then it gives us the description what's interesting about this particular executable this the executable is created using some code that is part of the social engineering toolkit I mean ADHD it's the java web attack and what it does is it inserts Metasploit inside of the Apache bench command-line utility and then the product is from Apache HTTP
15:30 - 16:00 server the company's Apache Software Foundation and gives us a lot information about that particular file header and what Metasploit was injected into which i think is awesome gives us the user that started it and then it gives us the parent image what is the executable that invoked it so this allows us to actually pull together well chrome DXE was used to open up ms f dot exe and it was ran by the user target administrator we've got the full time
16:00 - 16:30 we've got the process ID everything you need if you're doing Incident Response this is also really useful if you're doing a if you're doing a incident response type engagement you can say we want to look at the various executables that maybe are associated with Apache bench because they may be backdoored we also have various hashes whenever this file fired it actually triggered an md5 hash and a sha-256 hash of the executable as well so if you think it's a targeted attack and by the way if it's a real attack it's almost always a
16:30 - 17:00 targeted attack unless it's just your standard drive-by malware and spam that's hitting your organization this is a great bit of information that you can then feed in to the rest of your threat hunting team to see if there's any other executables or any other malware that's triggered and as I said whenever you're looking at the event logs on a Windows computer system it's actually pretty quiet we generated a lot whenever we opened up chrome dot exe and if I just hit refresh a bunch of times while the system's working I'm not gonna get too
17:00 - 17:30 many new event IDs it's just those executables are the ones that are already running I'm not gonna trigger anything unless I open up another executable and open up another socket which is really cool the other thing is the network connection if we look at MSF exe if we go in a little bit further you can see in addition to all the previous information in the previous log I can see that I have the executable I can see the protocol is TCP the source IP address is 172.16.0.0 evan and the
17:30 - 18:00 destination port is 3000 it's again amazing information for any incident responder it's trying to work through an incident this is basically which you hope that event logs would do in your entire security career in fact I would argue if you're gonna do event logging you could probably get away on the workstations with just pretty much sis bond event logging and then whenever you're working backwards from your alerts you can actually jump it into an Elk's stack which is going to
18:00 - 18:30 be the topic of another webcast we'll talk about how to use things like like beats for last to search to get the logs system on off you it's something like Hulk there's a great write-up in fact I'll just do the webcast live the instructions on how to set up Hulk because it makes it super easy especially with the indexing and the data that you're actually receiving so sis Mon is amazing we've talked about it multiple times and we finally are getting a web cast we did one a long time ago with Derek banks it was time to revisit it
18:30 - 19:00 so that is sis Mon I feel like I'm missing something about sis Mon but maybe not I got a question okay yeah shoot is there value in running system on alongside a commercial EDR if so which system on event IDs do you think might provide additional visibility so when we're looking at the event IDs I like this one actually all the event IDs are great for the network connections the process is the parentage because you can see this one doesn't give us the parentage this one's associated with the network connection so anytime you have event ID of three you have a network
19:00 - 19:30 connection anytime you have a new process that starts up you have a new process event ID of one so they all have value in the fact that they show different things processes that are starting is one and then event like network connections is three now with your EDR solution there's going to be some things that you're going to get out of your ADR solution that you wouldn't necessarily get with sis Mon let me show you an example because that question is a fantastic question so if we watch the event IDs and I basically just kind of
19:30 - 20:00 do a refresh here okay we're now sitting the event ID network connection we've got that one now let's see what happens whenever I start interacting with the mature pa'dar all right so whenever I'm in the meterpreter I could try to dump password hashes okay that's gonna fail I can beer on hash Dom I could try to my two additional processes and do all these different things mmm I can try to get system all right let's do run hash
20:00 - 20:30 Tom see if that works down but I'm trying a number of different things right I'm trying to dump password hashes I'm trying to interact I can actually migrate into exist additional services so I can do PS find a process ID and then migrate into another process 4 7 6 8 let's try that one but the problem with all of this all right couldn't do that must mistyped it the
20:30 - 21:00 problem with all of this though is I'm sitting around running meterpreter things and running things in memory the problem with it is a lot of what I just did isn't going to show up in system on so if i refresh and system on you can see I'm not really getting a lot of information about trying to migrate into processes and all these different types of attacks so that's what you're going to get whenever you're running an edr solution an EDR solution are actually bring a lot better of context around what is actually going around and when
21:00 - 21:30 you're running it and Metasploit you're gonna get some weird things like you know we're trying to startup services X a GX aja start that may be interesting to you but if you're running something like a silence or carbon block or crowd strike they're gonna actually tell you this looks like somebody's trying to inject into another process on the computer system so there's absolutely a lot of value that you get but let's back up for a couple of seconds just that initial execution and then initial network connection that network socket is going to show up in most situations
21:30 - 22:00 there are some ways to bypass it as well but the vast majority of the attacks are going to show up so if you're on a shoestring budget right you're trying to lock down your environment and you don't have hundreds of thousands of dollars to sync absolutely this is gonna start giving you visibility that you normally wouldn't have and it's gonna be light years better than what you would have if you didn't use this one so I hope that answered the question any other questions is there a system on for Linux slash UNIX no there's nothing on for Linux UNIX what you can do is you
22:00 - 22:30 can use s trace if you really hate yourself but but yeah probably be a question for bill Stearns because bill Stearns is probably written something like this about 15 years ago and we can get him on on on that as well as I'm wondering there are some things though if you actually go you let me show you a real quick so if you're working in a Linux computer system completely sidetracked let's go here so we come root people are talking about
22:30 - 23:00 audit d for linux yes can use audit d if you really are feeling like a poor individual you can also pull any information that of any processes that are interesting out of proc as well you can actually go into the various process IDs and when you go into the process IDs you can get a lot of information about what the current directory is what the different executable files are associated with it and then LSO F is also awesome as well LSO F will show you who has open network
23:00 - 23:30 connections and then you can get additional information about any one of those different process IDs between LSO F space - lowercase P and then the process ID so whenever I'm working an incident I will actually start by the network connections and then I'll start going through what are those network connections what are the different files that are open associated with those network connections to try to get additional information about it that's probably a completely different webcast - alright so any other questions and of
23:30 - 24:00 course one last way yeah what can big what config filters do I need to set up in system on in order to catch possible candidates from MCATs activity um so maybe Kats activity is one of those things that is more difficult to detect with system on usually whenever you're detecting mini cats you're actually detecting the powershell invocation or whatever utility is using mini cats like functionality as far as many cats injecting itself into the local security authority subsystem service you're going to have trouble with that you're also going to have trouble with tools like
24:00 - 24:30 crack map exec we were talking about marchello and how that's somewhat difficult to detect with system on as well so usually you're gonna start by looking at that initial at code execution of the malware itself and then once it's actually running in memory you're running into a lot of problems like I just showed with Metasploit meterpreter it isn't going to give you visibility on everything that's going inside of memory at that specific time does that make sense hopefully that answer the question - all right one more and then we'll move on to the other part what is your best way to upgrade it's this month I would just do
24:30 - 25:00 it through the standard upgrades upgrade process in Microsoft now let's actually that leads us perfect into this let me go got too many computers here all right so let's go through and present and answer that question insofar as upgrades as well all right so I had some backup slides for the malware that was actually executed we have that there so you can see what it looks like so let's talk about implementing it and I think that this also works really really really well what we're discussing how to work
25:00 - 25:30 on the upgrades and updating it right so there's a great blog post by sis panda that goes through a tremendous amount of detail on how to actually set it up in Active Directory and push it out to all of your difference computer systems by using scheduled tasks so you would basically create a scheduled task and at regular intervals it's going to go to here where it says domain.com that would be your domain apps config dot XML in my situation that would be like swift on securities config.xml file and then you
25:30 - 26:00 would copy it to the windows folder on your computer and then you would actually start sis Mon with it as well now when you're running it one of the things that you can do is you can check to see if sis Mon is actually running if it is not running then it can actually install and execute it if it is running then it's just going to move on it's not going to try to restart it every single time now when you're talking about updates one of the things you can do because all of your workstations are actually pulling down the sis Mon dot exe file directly from the domain
26:00 - 26:30 controller so what you can do if you want to update it you can actually just replace the executable so instead of having to push it down to every single computer system you're literally having those computer systems pull the sis ma executable and run it from the domain controller and then pull the config that's actually stored locally on that computer system as well so this is a nice little script that you can do and this is a nice write-up so you're not actually pushing the executable to every system and updating it that way you're having every system pull it from the
26:30 - 27:00 domain controller so you would update that executable then whenever runs that would actually pull the updated version of system on and then execute it so check out this link it's a fantastic little write-up there's two versions of it one the script is executing every time the system starts as part of group policy and the other one he basically creates a scheduled task that causes those systems I think it's like once an hour to make sure that there are executing system on and they're running properly so I hope that answered the question any other questions yeah John people are
27:00 - 27:30 asking a lot about how to cut down the chatter the noise do you have a preferred configuration or listed by Ben ID that you should or should the best one is swift on securities if you go to Swift on securities github repository here you go there's a system on config right here that reduces that noise very very very cleanly so check that one out also if
27:30 - 28:00 you look inside the XML it's actually it's actually pretty it's actually pretty easy to read you can see how it's starting up additional executables and what you're filtering out and what you're allowing to actually go through also about two months ago mark russinovich added in dns logging to sis Mon which is huge because DNS logging is an absolute complete train wreck and when you're trying to do normal DNS logging it's almost debug level logging for your DNS service and with the new system on
28:00 - 28:30 utility that marks on it just kicked out about a month ago it now has built-in dns logging so anytime a system is resolving an IP address it's going to log it locally and that'll become more important especially whenever you're looking at DNS over HTTP to actually have that ability to have it stored locally as well so this is the configure I recommend at least starting with and the amount of data that it's going to generate shouldn't be too overwhelming it'll generate about four or five because four or five events every time you start because you're gonna see them starting up for the process ID and the network connection
28:30 - 29:00 and if that process ID invokes other process IDs each of those process IDs are also going to have sis Mon alerts associated with them but usually when someone's working on the computer they're gonna open up their browser they're gonna open up word they're gonna open up Excel they're gonna get their music app you can see all these alerts and then all of them are just going to run because that's what they're gonna have their standard build in a workday and that's it but you'll at least have that visibility into all the network connections and then also the processes that are running right any other questions folks yes but we'll wait to
29:00 - 29:30 the end if we have time all right sounds good all right so the other thing that we wanted to talk about was app Locker I always talk about application whitelisting and a number of our webcasts and many people are very very intimidated by ever approaching application whitelisting and app Locker actually comes out with some fairly good ones with the defaults now I need to say anytime you're talking to a pen tester inevitably they're gonna say well the
29:30 - 30:00 default profile is from a blogger you can totally bypass using these following fifteen techniques and that's true but if you gave me an option of running a blocker or traditional blacklisting AV no question I would take app Locker in a heartbeat we'll talk about what it doesn't detect a little bit later and hopefully BB and some of the testers can kind of pipe in there are definitely ways to get around app Locker especially whenever you're using the default configs due to process inheritance and allowing executables to run in the windows directory but it's an
30:00 - 30:30 open config in the fact that it's going to allow a lot of stuff that you would be worried about running up running into a problem with it executing it's going to allow the day-to-day operation of that computer to run very well and it also has a built-in failsafe in that administrator accounts can still run whatever they want so very very very easy to set up inside of group policy so let's go ahead and let's jump in starting up a demo of configuring app Locker open up my chicken the VNC and I
30:30 - 31:00 have up here I've got a couple of different systems though the system that we compromised this particular computer is just a standard Windows to Windows 10 system that I threw together I use this Windows 10 VM for a lot of stuff so I'm going to close out some of the stuff here and we'll do I think I'm logged in as administrator so I can do gpupdate force and let's actually go into group policy and active directory
31:00 - 31:30 users and computer systems right I login alright in there we go alright so let's start by actually creating an oh you and then throw a computer inside of that oh you so I'm gonna go to Active Directory users and computers and you can see that I have one computer system here called the boss and I'm going to create a new organizational unit alright because we
31:30 - 32:00 want to be able to apply our group policy settings to this organizational unit so I'm gonna call it sac desk okay it's called our SEC desk organizational unit and if I go to my computer's I can just throw my computer into that organizational unit don't care about that warning good I know I do want to see the warning there we go oops there we go so now I have this small little organizational unit where
32:00 - 32:30 I've added this computer now usually what you would do is you would break up your organization so you would start rolling out AppLocker you would roll it out to your security team first you would roll it out to the administrators you'd roll it out to desktop support and you would slowly roll this policy out you wouldn't roll it out to absolutely everybody so now that we have that oh you created now we're going to do is we're gonna go into server manager and I'm gonna go to tools and we're gonna go to group policy management there we go
32:30 - 33:00 there we go John can you zoom in a little bit I can especially once I get there just give me a second all right so let's zoom in over here so over here you can see I have my domain I've created a target dot local domain and what I have inside of this domain is I have the organizational unit called SEC desk so SEC desk is the one that we created that has like one computer in it and what we're going to do now is we're
33:00 - 33:30 going to create a group policy that's going to push out AppLocker with the default settings to that SEC desk organizational unit now there's two parts of it one is actually configuring the actual AppLocker configuration and the second thing is actually creating a policy that will start the application identity service it will not fire if you don't have the service that's actually watching the applications on the computer system itself so what I'm going to do is I'm going to right-click on that and we're going to create a GPO for
33:30 - 34:00 that one and I'm gonna call it AppLocker we're gonna click OK oops need to create a four sec desc here we go I need to delete this one real quick but it in the wrong place wasn't highlighted there we go so we go into sec desc there we go I'll just call it a plug or
34:00 - 34:30 two then I go alright so now we've created our little group policy and we can see that that's underneath the SEC desk group now if we actually want to configure it we can actually go into it we can right click and we can go edit I'll come back and enforce it here in a second
34:30 - 35:00 so now this is the beginning of the group policy settings that we have in place so the actual policy that we want to put on this particular one is going to be under policies it's going to be under Windows settings and it's gonna be under security settings and let me make this a little bit bigger for everybody and I'll show you the two main settings that we're actually going to set for this particular computer here we go so let's go into our application control policies first and there is a plucker
35:00 - 35:30 now that is not the same as the AppLocker that I just created that's actually the default this is where you would actually go in and configure AppLocker itself so we've got we're gonna start I'm gonna make this a little bit bigger so you have some more room to play with we're gonna start by configuring the rule enforcement and I'm gonna go through and set all of these two configured and enforced I'm going to go through some of the different settings you can have here in just a second I will zoom in there we go so now you can
35:30 - 36:00 see that we have executable rules windows installer rules script rules and packaged app rules now you can set it up in two separate settings you can set it up so it's enforced rules where to actually block and stop those different things from executing or you can put it into audit only if you're exceptionally paranoid you can set it to audit only start that means app Locker is going to log what it would have blocked so you don't have to worry about pushing out a rule to an entire organization that's
36:00 - 36:30 gonna blow up absolutely everything in fact generally you don't have to worry about that it doesn't happen all that often the default rules work really really really well and I'll show you what the default rules look like so those are the two different examples that we can work with we have executable windows installer rule script rules and packaged app rules as well then I'm going to apply it but as of right now I actually don't have any rules I have to scroll down over here and I have to go into executable rules windows installer rules script rules and packaged app
36:30 - 37:00 rules and I have to generate the default rules for each one of those so now I can select each one of those and you can see it now got it over here executable rules windows installer rules and I can right click and I can do generate or create default rules now I want to talk about a couple of different things here real fast so if we generate the default rules it's just gonna generate three or four rules for each set okay and it's not very many rules at all and predominantly these rules are based on path it's going
37:00 - 37:30 to say anything that's executing from the Program Files directory or the windows directory is allowed to execute and then the last rule is anybody who is an administrator can do whatever they want this is that failsafe to make sure that you don't actually lock yourself out of your computer directly if you do automatically generate rules it's going to generate hundreds of rules it's going to go through and identify all the programs that are currently installed and it's gonna lock it down to just those programs I do not recommend
37:30 - 38:00 jumping into that I really honestly can't think of a possible scenario where that's ever a really good idea just be like let's do the automation see how that works out the default rules are great for just getting started with whitelisting now if you want to create a new rule I want to show you some things that are pretty cool with this if you want to create a rule by hand you can create a rule that will allow an application or deny an application and I can go in a little bit more detail about how I want to
38:00 - 38:30 establish a program that can execute I can give it a path so this will be very effective if you have the Program Files the windows directory and then you have another opt corrector II that has these mission-critical apps then absolutely you would want to set up some additional path rules to allow those to execute you can also create a file hash rule to basically say hey if file has this hash allow it to execute or block it but I want to show you publisher I think the publisher is really probably one of my favorites so what you can do is you can
38:30 - 39:00 create a reference file and you can go to any number of different files that exist on the on the computer system and you can basically choose the like the program be any executables that you have and it'll say ok I can create a rule around this specific application and one of the things I love about this is it gives you the capability of saying how stringent do you want that rule to be
39:00 - 39:30 you can say do we want it to be for this publisher and you can see that I have a rule for Microsoft which actually already in their product name microsoft windows operating system filename is set up when mxc and then the specific file version and I can even say and above however you can also take this little bar and you can scroll it up to say I will allow anything from this specific publisher to execute so if you have a whole bunch of Oracle tools and Oracle's being a nightmare and installing things all over the place or if you have specific applets that you need to run
39:30 - 40:00 from a specific vendor and it's gonna drop it into the temporary internet folders or it's gonna run an executable which is it's a bad idea that's the way it runs you can identify that executable and you can say this publisher is allowed and it'll allow anything from that publisher to run so there's the default rules for executables now I'm gonna go and create the default rules for installer rules we're going to generate the default rules for script rules and then also generate the default rules for the
40:00 - 40:30 packaged app rules all right so this is about as plain-jane vanilla of an app Locker instance installation that you could possibly set up so we've got our rules applied and now I'm gonna minimize that and we're gonna go back to our app Locker policy and I'm gonna set it to enforced all right I'm not actually I'm not done I skipped the step for somebody that's watching this is like oh my god he completely forgot to set up the services and you would be right so if I go into the policies go to windows go to security settings one of the things that you can do in addition to creating the
40:30 - 41:00 app lock rules is you can actually identify which services are going to start automatically and for this to work we have to actually set up the application identity service and I am going to set that to be automatic and automatically start up there we go we're going to apply it there you go set so we now have that group policy established and we'll make sure that it's actually enforced there we go and we've got it applied to sec desc so we went through we created the app
41:00 - 41:30 Locker policy we've established the service that will allow app Locker to actually run properly and we have actually applied it to our specific our specific organizational unit that we've created that has our wonderful computer the boss now I'm going to go to my domain workstation and I am going to do a GP edit and I'm going to enforce hey
41:30 - 42:00 John quick we keep getting yeah yeah does AppLocker only work for enterprise version of Windows I believe so I haven't tried it on home alright we're updating the group policy on this workstation I'm pretty sure it's professional oh now let's see if this
42:00 - 42:30 sometimes I have to run it twice I don't know why make sure I can ping the domain controller right balancing my Windows computer is starting to get nervous there's a bunch of debate and a chat or is that rush inside him Oh Pro and enterprise so I set up this entire environment on a VM and VM environment and one of the problems I've been running into is time sink so whenever I take the VM out the sink well the timing
42:30 - 43:00 will be off between the two systems and that's a problem years ago I had an incident where we had cluster domain controllers and they were they came on synced from each other because of an essa scan and it brought the whole system down that was bad should be the same for all right we
43:00 - 43:30 logged in alright so let's see if this is actually working log in as a different user log whitelist let's see if it worked you can actually force the group policy but from Active Directory but it takes like ten minutes and some situations for it to
43:30 - 44:00 actually work so let's go ahead and let's see if it took if not I'm enough login as administrator and try a GT GP update and force again there we go alright so now what's going on let me zoom in is any executable that is not in the specific path that was identified in Program Files or in the windows directory is automatically going to pop up this little alert it's going to say hey your systems administrator has blocked this program for more
44:00 - 44:30 information contact your systems administrator so that's kind of cool in the fact that it's now stopping any random executables to run however if we have executables that are in that program files directory they're gonna work just fine so a lot of the standard programs that a user would stand would normally go through are gonna execute without any issues so now if we go back to our malware example that we did a little while ago let's see how that changes things let's go into one seven
44:30 - 45:00 two don't 16.1 one to two dots what was it 11 I've got things backwards here and let's go to msf Exe download it let's try running it go ahead and run stopped it so we kind of have a before and after right so before we actually had a blocker I was able to download and execute any of the programs that I
45:00 - 45:30 wanted to but now that I have a blocker in place it's actually stopping that execution and once again there's a lot of flexibility in app Locker for allowing publishers through code signing certificates you can also go through hashes if you want to go down to that level but the big thing that I want to get across is if you're gonna implement application whitelisting with something like app Locker it is absolutely unnecessary to go all the way down to the individual file hashes on every single computer system you do not have
45:30 - 46:00 to go to that level and that that that extent also I want to get across as well that with a lot of the advanced endpoint security products that are out there today the most difficult thing to get around is not the security product itself and its automatic amazing artificial intelligence whatever crap it is they're throwing at you but what's really difficult to get by on a lot of these different tools is their white listing capability and white listing is not something that you have to buy white listing is free you can absolutely do it
46:00 - 46:30 on your own so let me go through a handful of slides and then we'll get to questions associated with this there we go get the redneck off the screen all right app Locker bypasses yeah a lot of the bypass techniques work like run DLL 32 techniques is our evil grade service exploits dot SCT files I have a joke bypassing never seemed to end just goes on and on my friend sub he started hacking and not knowing what it was now
46:30 - 47:00 I'll just keep on hacking it forever just because its BIOS fascist never and it goes around and around and round now this gets into a problem that we currently have in the state of security right now one of the problems that we have in the state of security is any time anyone talks about doing AppLocker and I've been part of these conversations I inevitably will have someone in the group say well you know you could just bypass that by doing this particular technique and that technique in this technique and then all the people that are listening or like well AppLocker must be crap with the default configurations and that's garbage
47:00 - 47:30 honestly if you actually implement a blocker just with what I just showed you you're gonna stop ninety five percent plus if the drive-by attacks that hit your organization a lot of the ransomware is now done it's not going to work this is the vast majority of the attacks that your organization is gonna encounter are gonna fall into that category and seriously if we could just shut down ninety-five percent more or more of the attacks that are hitting your organization can't we call that a win why is it everything in security has to
47:30 - 48:00 be completely a hundred percent foolproof and I know this as a vendor because I'll have people whenever I'm talking about Rita and AI hunter they'll say well I can get by Rita if I have a backdoor the beacons once per week your tools not going to detect it okay you win well exactly we're supposed to take that and I think we need to get away from everything is garbage and if we can bypass it it's crap it's kind of like the old center Night Live sketch but it's Scottish it's crap there's a bad accent for you and we need to actually
48:00 - 48:30 get down to some more realistic security expectations and right now all of your organization's have system on right now all of your organization's have AppLocker and it's free and we can push it out and we can do it effectively and it'll make an attackers life that much more difficult so some implementation principles before we actually try to jump into it start small start with your own security team you could also start in audit mode you aren't actually locking things down completely you're auditing to see what it would have blocked through a normal
48:30 - 49:00 day and then you can go in you can easily create app Locker rules for the different publishers code signing certificates to allow them to run roll it out stages so start with your own security team and then roll it out to systems administrators or helpdesk and then roll it out to the rest of the techie teams maybe even developers as well there's no reason that I can think of at all where you would want to roll this out to every single computer system in one shot there's nothing about that
49:00 - 49:30 at all that is even remotely close to a good idea and when you're working with the techie teams when you're working with systems administrators or working with helpdesk you're working with network administrators and the security team you're working with people that are technically competent at least I hope that they're technically competent right people in tech know things and if something doesn't work and it says this executable doesn't fire then you can have an intelligent conversation rather than talking with someone who's saying well the internet doesn't work what does that mean the Internet's not working at
49:30 - 50:00 all but I don't I don't know what it means that the internet doesn't work and they have some weird streaming app that they've downloaded on their desktop and they're running it on their desktop and they're like that doesn't work it's better to work with somebody who knows technically what is actually going on so I wanted it open up for questions I think we're doing great on time we have 10 minutes wow there's a lot of people in the room all right so let's get started what questions do we have folks if you're gonna go CJ yeah and a couple
50:00 - 50:30 from way back there talking about sis Mon and about how that scales and how you would incorporate multiple feeds so one of the things that we'll do a little bit later when we're talking about sis Mon is we did not touch logging like how do you actually gets a spawn to get forwarded it on to an event logging service when you're looking at ELQ implementations like help which is amazing it has the ability for you to ingest sis Mon and automatically index those system on events so that's
50:30 - 51:00 probably the next webcast I'm going to do for next week because I'm home and that's awesome will probably stand up a whole he'll kill instance and then we'll walk through how to set it up so sis Mon is dumping directly into a security instance that is specifically configured for event logging or for logging of sis Mon and among other things and specifically doing it for security because it's just absolutely fantastic and I think the guy that runs the hell project is actually part of Specter ops which is just doing amazing work these days Nick wants you to look under
51:00 - 51:30 Scottish accent you've got to work on my Scottish accent no no I am NOT going to work on my Scottish accent all right any other questions yes by default will app Locker prevent follows from alternate data streams so it depends on where they're executing if you actually put the file in the alternate data stream in the windows or the Program Files directory that that hierarchy is going to allow it to go through but if
51:30 - 52:00 somebody drops it into a temp folder or they drop it onto a desktop it's going to stop that from executing if you actually look at something that's executing in an alternate data stream and you look at it and process Explorer it'll show you the alternate data stream so the alternate data stream is irrelevant insofar as as it relates to the path it's the path that matters more than the alternate data stream good question a lot of questions on looking at the the output of the logs for AppLocker I saw that it goes to event viewers or other ways and yeah that's
52:00 - 52:30 where you're gonna have to look especially whenever you're testing it I got a good question from Jim bouncing how to utilize a blocker when there are programs like GoToMeeting and WebEx that install it in the app data folders you can actually go through and set it up by the publisher that was one of the things I showed so if you have things that you use all the time like WebEx you could go through and say okay this is a publisher that I trust you don't have to actually get down to the executable you don't have to get down to the hash you don't have to get down to the version you can just say we trust this publisher and you allow it to execute so I hope that answers Jim question oh great question
52:30 - 53:00 Alex just said aside from forwarding the logs off of the system are there any best practices to protecting system on and AppLocker logs from modification honestly the best thing to do is get them off the system as quickly as possible that is the best possible thing because remember when you're looking at mini cats mini cats had the ability to actually allow you to clear out the event log and not have the event log was cleared alerts show up I know Josh Wright has written some tools to prevent certain event logs from being written we
53:00 - 53:30 also saw that this was a technique and a capability and a tool that was part of the vault breach so yes there are ways to modify event logs get them off the system as quickly as you can this old trick will still work we had the the right once you basically put it to a CD the hashes oh you're north of Grumman right and I think there's no projects that are doing that to this day thankfully that that for most enterprise organizations is not insane wages popped
53:30 - 54:00 up and said wait a hash publisher rules our best hash rule if not signed path rule there's a lot of programs from a vendor that doesn't sign but why are you buying stuff from them anyway if they're not signing their executables as well other good ways to protect malicious services from killing system on this basically boils down to don't let the attacker get administrator rights on a computer because that's bad right so I want to throw it over to BB BB do you have any thoughts on system on and
54:00 - 54:30 AppLocker and kind of our tests and things like that let's see I've actually just kind of started playing with it myself on a VM and running some of the tools that I use on a test against it and I'm I'm just I was floored at at how visible like everything I normally do becomes once you've got once you guess it's not enabled on they're so like they used not really my thing but to see how it shows up what
54:30 - 55:00 I'm testing that was it was impressive yep and I and I think that it's pretty consistent once you get code execution and you start doing things after a code execution it loses a lot of visibility especially whenever you're doing things in memory but by and large that initial execution and that in that network connection that leaves it's pretty much always nailed the network connections for me you may have it migrated into another process like we talked about the Run DLL 32 which would be a legitimate
55:00 - 55:30 Windows process that's a way to kind of office gait and hide in plain sight but you're still gonna see that network connection as well Oh Bruce wanted me to mention and I agree Mac has whitelisting enabled by default and he's right it's pretty easy to bypass but um I downloaded and ran chicken of the VNC and it's just this random it isn't from the App Store so in order to execute it on a Mac you have to go through right-click and then execute or open and then it'll pop up and it say hey you didn't you didn't download this from the
55:30 - 56:00 App Store are you sure you want to run it and then you have to click OK if you just double click on it it stops it as well so asking again I saw that hold on where to go how can mmm how can I map out the various programs that all enter users are using in different locations and paths in order to create the rule semi-automatically all right let's do with that Hey who's with me let's answer yahrens question while we're answering that question CJ do you have another question just kind
56:00 - 56:30 of request about a webcast presenting a matrix of expensive tools and the built-in ones that do a good job and I think we're always a little agnostic on that because usually the the free tools involve a lot more labor and integration they don't come as full-featured and you always talk about like because we have questions here about doesn't this carbon black do I do app white listing with that and we always say yes make sure what they may be advanced in point
56:30 - 57:00 protections you're using the application whitelisting features yeah absolutely I think it's a great exercise if you've got some of these tools already took - what's built-in so so the answers always depend on your environment Gojo and honestly if you're not ready for whitelisting with AppLocker you're not going to be ready for whitelisting with a commercial third-party tool this is a great way to start it out with to start out with the path exception so let's answer yahrens question now that I'm at the end of the webcast let me blow this up so here you go we go
57:00 - 57:30 automatically generate rules we give it the path and then it's going to do this and then it's going to create them and there we go well I only have one but if I had a number of executables here would actually go through and map out all of the different executables that are there should have gone through and done all the ones in Program Files hmm Pass rule there we go maybe but it's kind of
57:30 - 58:00 insane as I said I don't like doing that I don't so if you have like a normal system you're gonna have hundreds of files here and you're gonna be back to just doing it my path to start out as well all right oh man so many questions on the different things like gray log versus how versus saw phallic versus oh my god John one question they came up a few times any suggestions techniques for managing system on config files enterprise-wide so what I'd recommend if you want to run
58:00 - 58:30 multiple different configuration piles if we go back to the slide deck which is here sorry I have two computers and I'm on the wrong keyboard let's go here one of the things you could do is this so for each of the different Oh use that you create you can have a different configuration file like you drive config one config to config three can fit four and you'll be hosting those once on the domain and then all of your systems would actually pull that from the domain as well we have an alternative as we
58:30 - 59:00 said whitelisting is pretty much built into a Mac NIC which is nice okay Wow so the next one is going to be next one is going to be on logging I'll go ahead and set that up with like Hulk and Safa elk and I'll actually run both of them I'll try to set it all up so my domain ascending to hell and then I'll set it up with saw Falcon I'll try to do a full kind of shootout between the two but there's people like that that are much much much better than I am at that as well so I
59:00 - 59:30 hope that you guys enjoyed this webcast as I said this one was a long time coming I think that we get caught up in like new fancy tools and we don't go back to basics so I think that coming back to a basic basic like kind of setup is important every once in a while to make sure that we're getting these basics and fundamentals in place so I think the next one's gonna be on logging and I think the next one that I want to do is how to push out firewall rules via group policy because I'm always telling people enable your host-based firewalls
59:30 - 60:00 enable your host-based firewalls and I think that it's a really really good idea but once again we've never walked through specifically how to do that as well so with that let's get out of here everybody thank you so much and I appreciate you all coming and tell your friends that we do these webcasts and they're free and it's like free training which is pretty cool and we'll see you at the next one [Music] [Applause] [Music]
60:00 - 60:30 you