sysmon-modular VS HardeningKitty

I was specifically using the https://github.com/olafhartong/sysmon-modular config, but once we started seeing systems crash I tried building extremely minimal configs and still found them causing hangs.

I use this one: https://github.com/olafhartong/sysmon-modular

2) There are many opensource solutions, and you hit on all the important ones. Think creativitly, and test all your controls. hit your boxes with Metaspoilt and atomic redteam. These tools will help you verify that you have the proper controls in place, and that you are able to detect attacks (successful, and failed). Run auditd with Florian Roth's rule set on your linux boxes (https://github.com/Neo23x0/auditd/blob/master/audit.rules ), and sysmon (https://github.com/olafhartong/sysmon-modular) on windows.

Agree. Harden your endpoints (if unsure where to start consider hardening kitty, https://github.com/scipag/HardeningKitty) and harden Defender (https://0ut3r.space/2022/03/06/windows-defender/). Add Sysmon with a good config (https://github.com/olafhartong/sysmon-modular) and you've reached a good starting point.

Another really excellent resource (also called out by Swift) is Olaf Hartong’s Sysmon-Modular project: https://github.com/olafhartong/sysmon-modular As well as having a few full configs, Olaf’s project has modular XML configurations for each supported Sysmon Event ID. This can be incredibly helpful for fine tuning your configs.

Yes absolutely. This is a very common workflow for both. One note is that you need to also find a sysmon config to use as well, and there's no easy way to manage either sysmon or its config through Splunk. Recommendations for a config are either SwiftOnSecurity's or Olaf's SysmonModular. They significantly overlap and work with each other on patches. SwiftOnSecurity's is a better pure drop-in, and Olaf's is better if you want to do customization.

For some of the items you mentioned having a good sysmon config would help too. https://github.com/SwiftOnSecurity/sysmon-config or https://github.com/olafhartong/sysmon-modular are good starting points

Also Hardening-Kitty. https://github.com/scipag/HardeningKitty

Critically, harden the OS. Like, more than you think you need to. Way more. Consider the jump host capability as a core component of each system/environment/platform/application it's used to access/manage and assess value and risk with all those business processes/functions in mind even though you're using one jump host for each of those use cases because, inevitably, the same template/container/configuration/script will be reused so any misconfigurations will replicate. If you need a Windows OS, consider hardening kitty as it offers a locally executable option for both hardening and auditing. If you need to met regulatory requirements (HIPAA, CMMC, FISMA, PCI, etc.), consider OpenSCAP or whatever paid solution you use for agent-based vuln scans (avoid less intensive solutions that only run unauthenticated scans or network-based audits, they tend to avoid non-CVE vulns that exist in the configuration). If you need to rely on open source endpoint security solutions like Wazuh make sure they integrate nicely with SIEM, SOAR, and remote management. Wherever possible, use DevOps-friendly solutions for configuration management (think Ansible and Terraform vice Github Actions :) ) and remember that, if you're responding to an incident, you're going to want to suspend all of your jump boxes, retain any storage and their full memory state, and spin up verifiably clean jump boxes so you have confidence in your connections into the environment. This is the most commonly overlooked need (most orgs seem to be aware of their privilege sprawl issue) and it has a MASSIVE impact on your ability to quickly begin effective investigation and response efforts in the event of an incident (most orgs do NOT seem to be aware of this and it costs them time and meaningful information during incidents).

Agree. Harden your endpoints (if unsure where to start consider hardening kitty, https://github.com/scipag/HardeningKitty) and harden Defender (https://0ut3r.space/2022/03/06/windows-defender/). Add Sysmon with a good config (https://github.com/olafhartong/sysmon-modular) and you've reached a good starting point.

I use a tool called Hardening-Kitty https://github.com/scipag/HardeningKitty , which has recommended policy lists from a variety of organizations. I check my computer with all of them. They don't all agree, of course, so I kind of pick and choose a little. But the lists have helped me find things I had no idea where they were.

A related tool that I found somewhere on reddit recently: HardeningKitty