Windows Event Forwarding and OSSEC - You can do this! presented at BSidesAugusta 2018

by Robert Wilson,

Summary : Most organizations in the United States are small, and many can’t afford MSSP’s or SIEM solutions. In some cases there may be only one administrator for a small business and they want to take additional steps to secure their organization. Using native windows tools and the open source HIDS OSSEC, we will cover setting up Windows event forwarding to a collection server, customizing OSSEC for a modern windows environment, and tuning rules to gain client visibility. We will then look at using OSSEC for detecting current techniques like AppLocker bypasses, PowerShell logging, and modern Windows tools like Defender Controlled Folder Access Blocking and Network Protection. All of this will cost you nothing other than using your brain, some virtual machines, and whatever hardware you need – which you probably already have.