SAMPLE ALERT IMAGES
Unusual User Sign In Occurred
This alert is letting the recipient know the reception account signed into a device outside of its normal assignments
Never Before Seen Device Joined Network
This alert is displaying 4 devices that recently were physically plugged into an Ethernet cable or joined the Wi-Fi network. Now that these devices are known they will not be detected again unless you remove them from the CSV file containing device history info.
Suspicious Event Triggered
This alert was triggered from centralized logs using Windows Event Forwarding. System Update, when run on Lenovo computers as a standard user, will create a temp account, add it to the local administrators group and install missing updates. It then removes the created account from the local Administrators group and deletes the account. If this were an attacker trying to cover their tracks this would have caught it.
Port Scan Detection
This alert informs the cyber security team when a port scan has been attempted against a server. This currently does not work for File Servers or VoIP servers which have hundreds of unique IP addresses connecting a minute.
Remediate A Compromised Office Account
This is some output showing the results of what happens when the RemediateCompromisedOfficeAccount.ps1 is run. For more information on what this does click HERE.
Review Mail Forwarding Rules
This alert is meant to come in once a week. It allows administrators to easily view any email forwarding rules and ensure that no information is being compromised unknowingly.
Account Locked Out From Failed Password Attempts
This alert lets you know when a user account has been locked out. There is also an alert to be notified when a locked out account has been manually unlocked.
Daily Autoruns Information Sent to Event Viewer
This is showing the Autoruns Event Viewer entry that gets created. An easy to read CSV file also gets saved to C:\Program FIles\AutorunsToWinEventLog\AutorunsOutput.csv
Thanks to: https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog
Insecure LDAP Bind Occurred
This alert is to let you know when an LDAP Bind occurs that is not encrypted with LDAP over SSL. This can help to implement LDAP over SSL in an environment or discover possible LDAP enumeration attempts from an attacker.
User Account Expiring
This alert lets IT Administrators know when a user account is about to expire.
DNS Zone Transfer Alert
This alert was triggered by an executed DNS Zone transfer. Normal DNS server communication does not trigger this alert. Manually requesting a zone transfer will, allowing you to discover any attackers looking to learn about your environment.
Connection History
ListenPortMonitor.ps1's main goal is to keep an eye open for newly opened ports on a server to discover possible Reverse Shells or Bind Shells. A connection history log is kept to help trace connections that have been established with a server.
Blacklisted IP or Young Domain
When a device establishes a connection to an IP that is on 4 or more blacklists or a domain that is less than 2 years old you will be informed. The events are also stored in the Event Viewer under "MaliciousIPs". It seems that an IP address on 3 blacklists does not necessarily mean it is dangerous or something to do anything about. Correct me if my analysis is wrong.
Password Changed
This alert informs you when a users password has been changed by an Administrator or other user. Allowing user to change passwords through Azure will generate this alert as well.
Normal Password Change
Receive an alert whenever a user has changed their password. Compare this value to the Administrator list you receive. This allow you to notice any passwords changing outside normal conditions.
Disable Wek Ciphers and SSL
Hardening cmdlet allows you to quickly and easily disable weak TLS protocols and associated ciphers to prevent weak encryption methods from being used.
User Account Unlocked
This alert informs administrators when a user account has been manually unlocked as well as who unlocked what account.
User With Passwords Expiring
Receive a list of users whose passwords are expiring in the next 2 weeks. This helps you keep tabs and who is expected to be changing their passwords. Someone not on this list who has their password changed may be under attack.
Enable DNS over HTTPS
This hardening cmdlet allows you to easily enable or if desired disable DNS over HTTPS on any Windows 10 Device in your environment
Windows Event Forwarder Application
Summary
The purpose of this web application is to easily investigate any email alerts received that indicate a possible compromise. This server has Windows Event Forwarding (WEF), configured in a "source collector" set up. This means that the clients in the environment initiate connections to the server before sending logs. When one of the suspicious event ID's occur on any of the devices, the event info is forwarded to the WEF source collector server using WinRM over HTTPS. Once an hour the collected event logs are imported into a SQL database. Any newly discovered events that indicate possible compromise trigger an email alert which is then sent to the IT Administrators. This application can be used to search that SQL database and view the details of an event. The SQL database is useful because searching a SQL database is 100x faster than parsing the Windows Event Logs through XML. It also stores critical events for a longer period of time than the events would normally exists inside Event Viewer. This is because when Event Viewer logs reach a certain size, old logs are removed to make room for new ones.
Protection against SQL injections and CSRF have been implemented. Penetration testing has been performed to ensure the security of the application. There are no presently discovered vulnerabilities. Security is a feature! If you find a vulnerability that I have not please let me know so I can fix it. rosborne@osbornepro.com
Functionality
REORDER: The columns in the database table can be organized by ascending or descending order. This is done by clicking the linked column header.
SEARCH: The search will parse the database by searching for the specified term in all of the columns. There are presently 10 items that will be displayed per page.
DETAILED: Events can also be shown in a detailed view by clicking the "Details" button next to an event in the table. This will display a few more bits of info for the event.
Table View of WEF Application
This WEF Application is used to view and st log files that are a high likelihood to be indications of compromise. These logs get collected from all devices in the environment. The following Event ID's are collected and put into the database:
1, 2, 1102, 4732, 4733, 4720, 4726, 7045, 4756, 4757, 4728, 4729, 4649, 4723,
Detail View
Events can also be shown in a detailed view by clicking the "Details" button next to an event in the table. This will display a few more bits of info for the event.