Hello, welcome to the Wednesday, September 18th, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Stockholm, Germany.

One way an attacker is able to hide their activity is by either stopping or manipulating system logs. This of course is also possible on

Windows and Rob looked in today's diary into how to figure out if your Windows event logs have

been manipulated. One way to do this is to look for gaps in the log ID sequence, which should be sequential,

but if someone removed log entries, then of course you will find gaps.

Now, you can do this via the GUI tools that sort of come with Windows, but that's a very labor-intensive

process, in particular, since it takes two or three mouse clicks for

each individual log invent to actually get to the ID that you need to compare.

So he wrote a PowerShell script to accomplish this, and you can use this to verify your logs.

If you're interested, you can download the script from Rob's GitHub repository.

Now, he warns that the script isn't very fast.

It took him about three minutes to load the logs into a variable in the script.

So may take a little bit longer on a busy server.

But yeah, let him know how it works and if you find any interesting gaps in your logs.

And back in 2013, independent security evaluators, Baltimore Security Consulting Company, took a look at various small office, home office, so Soho

routers and NASDA devices. And well, back in 2013, they found 52 vulnerabilities in them.

So no real big surprise to anybody listening to this podcast. But recently they actually redid the study.

They took, again, 13 different routers and NAS devices.

They're typically used sort of in these smaller networks.

And, well, no, it didn't get better.

And that's in line with other studies that I've talked about

...