Hi [[ session.user.profile.firstName ]]

LogRhythm APJ

  • Date
  • Rating
  • Views
  • PowerShell Audit Logging: Catch Intruders Living off the Land PowerShell Audit Logging: Catch Intruders Living off the Land Randy Franklin Smith: Windows Security Subject Matter Expert. Greg Foss: Sr. Security Research Engineer, LogRhythm, Inc. Recorded: Dec 7 2016 82 mins
    PowerShell is like nuclear fission—it’s powerful, and it can be used for good and evil. The bad guys love to exploit PowerShell for at least three reasons:

    1. It’s already installed on most versions of Windows.

    2. It’s powerful. You really can do just about anything in PowerShell—even call into the Win32 API if enabled.

    3.There are no EXEs or DLLs to upload.

    Lee Holmes (Microsoft’s PowerShell extraordinaire) will be joining me to show you how to catch intruders exploiting PowerShell to their own ends.

    First, we will provide a brief overview of PowerShell security capabilities especially enhancements in PowerShell 5.0t. There are some really good preventive steps you can take to limit your exposure to PowerShell-related risks. And PowerShell 5.0 is available on Windows 2008 R2 SP1 and Windows 7 SP1 and up, so this isn’t vaporware.

    Then we will zero in on the auditing capabilities in PowerShell. We’ll show you how to enable PowerShell logging so that you get events for every script block executed. We’ll show you sample events and discuss how to interpret them, how to filter the noise and more.

    I’ll also briefly point out some less powerful, but easy-to-implement techniques for just detecting the use of PowerShell itself using Process Tracking events. This can be useful for highly controlled endpoints where use of PowerShell at all is very limited and easy to recognize if PowerShell is being used in an unusual way.

    Of course producing valuable audit data is one thing. Collecting, analyzing and alerting on it is another. And that’s where our sponsor, LogRhythm, comes in. The security experts at LogRhythm have been following the increased exploitation of PowerShell by the bad guys and been publishing their own tips on how to combat. Greg Foss will briefly demonstrate LogRhythm’s built-in knowledge of PowerShell and its ability to correlate PowerShell events with all the other security intelligence LogRhythm collects from your enterprise.
  • Streamlining Threat Life Cycle Management: SANS Review of LogRhythm 7 Streamlining Threat Life Cycle Management: SANS Review of LogRhythm 7 Dave Shackeford, SANS Analyst, Erick Ingleby, Product Manager, LogRhythm, Inc. Recorded: Dec 1 2016 61 mins
    When it comes to detecting and responding to breaches, time and accuracy matter most. In this webcast, Senior SANS Instructor Dave Shackleford discusses his experiences reviewing the newly-released LogRhythm 7. Also, learn how LogRhythm reduces mean time to detect (MTTD) and mean time to response (MTTR) through machine-driven, real-time behavioral analytics, rapid forensic search and automated response.

    Mr. Shackleford will highlight & demonstrate how LogRhythm 7 enables forensic investigations, enhanced search functionality, streamlined administration, event prioritization & incident response orchestration.