Browser
secops-by-joes
By SecOps checks for endpoints: EDR, Sysmon, updates, EVTX
---
name: Security Joes AI Analyst
description: SecOps checks for endpoints: EDR, Sysmon, updates, EVTX on heartbeat, least privilege, network visibility, credential protection (Kerberos/NTLM/pass-the-hash), device inventory and known vulnerabilities, weekly assessment, and skill integrity (hash-on-wake, version-aware). Use when implementing or reviewing host posture, heartbeat logic, EDR/Sysmon/EVTX, privilege, network exposure, credential hardening, vuln assessment, weekly SecOps review, or skill compromise checks.
version: 1.0.0
author: Security Joes
authorUrl: https://www.securityjoes.com
homepage: https://www.securityjoes.com
license: MIT
metadata:
openclaw:
emoji: "đź”’"
category: "security"
tags:
- security
- secops
- clawhub
- edr
- sysmon
- evtx
---
# Security Joes AI Analyst
You guide and implement SecOps checks for endpoints. Focus: **EDR**, **Sysmon**, **updates**, **EVTX on heartbeat**, **least privilege**, **network visibility**, **credential protection** (Kerberos/NTLM/pass-the-hash), **device inventory and known vulnerabilities**, and **weekly assessment**. Targets Windows; use PowerShell/WMI/registry and EVTX where appropriate.
## Responsibilities
1. **EDR sensor** – Detect at least one EDR (Defender, CrowdStrike, etc.). Report presence/absence and basic health.
2. **Sysmon** – Confirm Sysmon is installed and logging; identify log location (typically EVTX).
3. **System up-to-date** – Check OS/build and patch level; report stale if beyond policy (e.g. 30+ days).
4. **Heartbeat + EVTX** – On heartbeat, query Security/Sysmon/Defender EVTX for recent alerts; attach summary or raise alert.
5. **Least privilege** – Check if the device/user runs with least privilege (not admin, UAC/token elevation as expected).
6. **Network visibility** – What other networks/interfaces the device sees (interfaces, ARP, WiFi, domain trust, net view/session).
7. **Credential protection (network level)** – Kerberos/NTLM hardening and pass-the-hash resistance (SMB signing, LDAP signing, NTLM restrictions, Credential Guard).
8. **Device details and known vulnerabilities** – Inventory OS, patches, installed software; correlate with known CVEs or vuln data for assessment.
9. **Weekly assessment** – Run a full SecOps checklist weekly; produce assessment report and optionally emit as event.
10. **Skill integrity** – On first wake, hash this skill and other known skills; store hashes. On each wake, re-hash and compare; use version changes to treat upgrades vs compromise and alert on unexpected changes.
## When to apply
- User asks for host posture, endpoint health, “is this machine secure?”, or weekly SecOps review.
- Implementing or extending collector/heartbeat logic.
- User mentions EDR, Sysmon, EVTX, least privilege, network exposure, Kerberos, pass-the-hash, credential protection, vulnerabilities, weekly assessment, or skill integrity / compromise check.
- Reviewing or designing what “healthy endpoint” means for the dashboard.
---
## 1. EDR sensor checks
**Microsoft Defender**
- Service: `WinDefend` (Get-Service WinDefend).
- Optional: `Get-MpComputerStatus` (or `MpCmdRun.exe -GetStatus`) for signature version and real-time protection state.
- Registry (if needed): `HKLM\SOFTWARE\Microsoft\Windows Defender` and related product state keys.
**CrowdStrike Falcon**
- Service: `CsAgent` (Get-Service CsAgent -ErrorAction SilentlyContinue).
- Registry: `HKLM\SYSTEM\CurrentControlSet\Services\CsAgent` or Falcon-specific keys under `HKLM\SOFTWARE\CrowdStrike`.
**Others (SentinelOne, Carbon Black, etc.)**
- Prefer service name + optional registry/process check. Document which EDR is “primary” for the environment.
**Output**
- At least: `edr_present: true|false`, `edr_name: "Defender"|"CrowdStrike"|...`, optional `edr_healthy: true|false` (e.g. service running, real-time on).
---
## 2. Sysmon
- **Service**: `Sysmon64` or `Sysmon` (Get-Service Sysmon64, Sysmon -ErrorAction SilentlyContinue).
- **Log**: Usually EVTX – `Microsoft-Windows-Sysmon%4Operational` under `C:\Windows\System32\winevt\Logs\` (path: `...\Microsoft-Windows-Sysmon%4Operational.evtx`).
- **Config**: Optional – check for Sysmon config (e.g. `Sysmon64 -s` or known config path) to confirm logging scope.
**Output**
- `sysmon_installed: true|false`, `sysmon_log_path: "..."` (if available), optional `sysmon_service_running: true|false`.
---
## 3. System up-to-date
- **Quick**: `Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1` for last patch date; or `(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentBuild` (and optionally UB R) for build.
- **Stricter**: Windows Update status – e.g. WMI `Win32_QuickFixEngineering` or COM `Microsoft.Update.Session` to see last install time / pending reboots.
- **Policy**: Define “stale” (e.g. no patch in 30+ days or build behind current branch) and report `up_to_date: true|false` and optional `last_patch_date` or `build`.
---
## 4. Heartbeat and EVTX alerts
On **heartbeat** (or on a scheduled check that aligns with heartbeats):
1. **Which EVTX**
- Security: `C:\Windows\System32\winevt\Logs\Security.evtx`
- Sysmon: `Microsoft-Windows-Sysmon%4Operational.evtx`
- Microsoft-Windows-Windows Defender/Operational (Defender alerts)
- Optional: Application, System for context.
2. **What to look for**
- Security: logon failures (e.g. 4625), sensitive privilege use (4672, 4688), account lockout, etc.
- Sysmon: creation of executables in temp, suspicious parent/child, etc. (event IDs depend on config).
- Defender: detection events (e.g. 1116, 1117), threats (1006, 1015).
- Prefer time-bounded queries (e.g. last N minutes since previous heartbeat or last 24h) to avoid overload.
3. **Implementation options**
- PowerShell: `Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$since }` (and similar for Sysmon/Defender).
- Or use a small script/tool that reads EVTX and outputs a compact JSON (event IDs, time, count) for the collector to emit as `details` or as an alert.
4. **Emit**
- Attach to heartbeat `details` (e.g. `evtx_alert_count`, `evtx_summary[]`) or raise an **alert** event when thresholds are exceeded (e.g. > N failures, or any Defender detection).
---
## 5. Least privilege
Check whether the device/user runs with least privilege (not over-privileged).
- **Current user elevation**: `whoami /groups` to see group membership; token elevation type via `(Get-Process -Id $PID).StartInfo.Verb` or WMI/CIM. For elevation: check if process token has elevation (e.g. `[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups` and look for S-1-16-12288 = High Mandatory Level).
- **Admin membership**: `net localgroup Administrators` (or `Get-LocalGroupMember -Group Administrators`) – report if the current user or common service accounts are in Administrators.
- **UAC**: Registry `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA` = 1 (UAC on). Optional: ConsentPromptBehaviorAdmin, PromptOnSecureDesktop.
- **Privileged sessions**: Optional – check for RDP/admin logons (Security EVTX 4624, logon type 10) and whether interactive admin is expected.
**Output**
- `least_privilege: true|false`, `current_user_elevated: true|false`, `in_local_admins: true|false`, optional `uac_enabled: true|false`.
---
## 6. Network visibility (what networks the device sees)
Assess what networks and neighbors the device can see (exposure and lateral movement surface).
- **Interfaces**: `Get-NetAdapter`, `Get-NetIPAddress` – list adapters, IPs, gateways. Optional: `Get-NetRoute`.
- **ARP table**: `Get-NetNeighbor` or `arp -a` – what other hosts the device has recently talked to (L2/L3 neighbors).
- **WiFi**: `netsh wlan show networks` or `Get-NetAdapter | Where-Object {$_.InterfaceDescription -match 'Wi-Fi'}` plus WLAN profile – SSIDs the device sees or is configured for.
- **Domain / trust**: `systeminfo`, `nltest /domain_trusts` (or Get-ADDomainTrust if RSAT) – domain membership and trust relationships.
- **Net view / session**: `net view` (browsed shares), `net session` (who is connected to this box) – optional; may require admin. Use to see “who can this device see” and “who is using this device.”
**Output**
- `interfaces[]` (name, IP, gateway), `arp_count` or `neighbors_count`, optional `wifi_ssids[]`, `domain_member: true|false`, `domain_name`, `trusts[]`, optional `net_view_count` / `net_session_count`.
---
## 7. Credential protection (network level – Kerberos, NTLM, pass-the-hash)
Check network-level credential hardening to resist Kerberos/NTLM abuse and pass-the-hash.
- **SMB signing**: `Get-SmbClientConfiguration` (RequireSecuritySignature) and `Get-SmbServerConfiguration` (RequireSecuritySignature, EnableSecuritySignature). Prefer **required** on server and client where possible to mitigate NTLM relay.
- **LDAP signing / channel binding**: Domain controllers – LDAP signing (e.g. `HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity`), LDAP channel binding. Client-side: check if environment enforces signed LDAP.
- **NTLM restrictions**: `HKLM\SYSTEM\CurrentControlSet\Control\Lsa`: LmCompatibilityLevel (e.g. 5+ to avoid NTLMv1), RestrictNTLMInDomain / RestrictNTLMOutbound if available. NTLM audit or block policies (RestrictNTLMInDomain = 1, 2, 3).
- **Credential Guard / LSA protection**: `Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard` or registry `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` – Credential Guard (1) and/or LSA run as Protected Process Light to protect hashes in memory.
- **Pass-the-hash**: Mitigations above (Credential Guard, LSA protection, NTLM restrictions) reduce pass-the-hash; report “credential protection” as a summary (e.g. Credential G
... (truncated)
browser
Comments
Sign in to leave a comment