Graylog GO 2024

This page is a consolidation of all of the items discussed in the Graylog Go 2024 talk From Hidden to Exposed: Advanced Graylog Alerts for Malicious Activity. This is placed here so you can quickly get straight to the individual guides to each section and see more of the research towards each of them. 

1. NTLM (NTLMv1 –> NTLMv2) ​
2. LDAP Signing (beginning to solve PetitPotam) ​
3. SMB Signing​
4. Broadcast (LLMNR, mDNS, NetBIOS) ​
5. WPAD

​The Bonus content is: 

1. AD Enumeration Detection
2. RC4 (Kerberoast) detections ​
3. Advanced Backups Alerting (Baselining and alerting) ​
4. Advanced (Account) Alerting (Baselining and alerting)
5. PhantaByte GPO PowerShell Script for helping to automate remediation​
6. NetBait Multicast / Broadcast honey pot script