Identifying a threat using SIEM data. Read Post »
Identifying a threat using SIEM data. For this task you are going to detect and identify a threat in a Windows 7 system. Refer to previous labs for guidance here. 1. Login to the Windows 10 system. 2. Open the Splunk link on the Desktop. Login with admin/changeme 3. Go to Search. 4. Create and […]
Demonstrating use of the Windows Task Scheduler Read Post »
Demonstrating use of the Windows Task Scheduler. For this task you are going to configure task scheduler to automatically download a file (this is also a method used by threat actors to reload or infect a system with malware): If you have already closed your lab, use the following link to book a session on
Importing log data into a SIEM solution Read Post »
For this task you are going to import some static log data into a SIEM. Login to the Windows 10 system. Open the Splunk link on the Desktop. Login with admin/changeme Go to Add Data Follow the Tutorial for adding data link and download a current copy of the zip file. The file to be
Locate the re-occurrence of Malware and remove it Read Post »
Locate the re-occurrence of Malware and remove it. Using your knowledge of the persistent threat you have created: List ALL the steps you would need to do to remove the malware from the system and prevent its return. 1. Locate the scheduled task and delete it. o Open Task Scheduler by pressing Win + R,
Mitigating a detected threat Read Post »
Point 4: With EternalBlue exploit, the vulnerability is typically associated with Microsoft Security Bulletin MS17-010 EternalBlue exploits a vulnerability in the SMBv1 protocol, allowing remote code execution. Point 7: Disable SMB1 protocol Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol Enable Firewall: Ensure the Windows Firewall is enabled and configured properly. Enforce
Configuring Windows to forward logs to a SIEM solution Read Post »
Configuring Windows to forward logs to a SIEM. For this task you are going to setup windows event log forwarding into a SIEM. Refer to previous lab activities on how to do this. Login to the Windows 10 system. Open the Splunk link on the Desktop. Login with admin/changeme Configure Splunk to receive data. Install
