Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI


Monitoring your network and gathering massive amounts of data has become easier and easier. Many guides exist on how to gather data, and lots of companies have “enterprise grade” Security Information and Event Management products that can ingest terabytes of data. But what seems to be missing from most environments is the ability to apply…


When the manual is not enough – runas /netonly, Unexpected Credential Exposure and the Need for Reality Based Holistic Threat Models

One of the things I always advocate for IT Professionals/Defenders is that versus letting Penetration Testers and Real Attackers figure out the holes in their systems, is a serious contemplation of how you would bypass your own defenses. Your adversaries are more than willing to spend time learning the apps and defenses you have in…


Tracking Lateral Movement Part One – Special Groups and Specific Service Accounts

Lateral Movement – the moving of an attacker from one compromised host throughout your domain until they find what they are looking for – is something we see many just about all attackers doing during compromise. I’ve talked a lot about the attacker behavior and how to stop it – strong protective controls can serve…


Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)

   Last week at Ignite Australia I presented a session (available here ) on something I don’t think gets talked about enough – Windows Event Forwarding, or WEF.  (Edit: I’ve also since done an depth Microsoft Virtual Academy session on Event Forwarding too!). Often when we engage for an Incident Response, we find the customer : Has no centralized logging Are…