Skip to content
/ Watchtower-Agent Public

Windows Agent written in .NET for detecting and pushing new security events to a remote server.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Tier1Security/Watchtower-Agent

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
agent
agent
 
 
README.md
README.md
 
 
logo.png
logo.png
 
 

Repository files navigation

watchtower-horizontal

This is the agent that handles all security related events as well as blocking of IP's that try to brute force into Windows machines. This is part of an Watchtower SIEM/IPS solution made by Tier 1 Security. It uses less than 25MB of ram and less than 1% of CPU during runtime.

Features

  1. Pushes security events to the cloud (will add the demo server for this soon)
  2. Blocks IP addresses by adding them to the windows firewall. This feature is working and has been tested on both Windows 10 and Windows 11 machines.

Installation - Local

  1. You don't need a key for the program to work locally, only if you want to use the cloud based dashboard.

  2. The local server is in development.

  3. You can also use whatever log ingestion platform you would like.

How it Works - Security Event Ingestion

  1. The program needs to run as admin as it needs elevated privileges to listen for security events.
  2. There is a .NET library called "Systems.Collections" that allows you to programmatically listen for new security events.
  3. This is different from querying historical logs every x unit of time as the event's can be subscribed to in real time.
  4. When a security event happens on the machine, the script will send out a POST request to a server and the server will send back if the request is successful or not.

How it Works - Brute Force Prevention

  1. The program watches for repeated password attempts, specifically Windows Event 4625 (Failed Authentication)
  2. If an IP address tries too many times (passes the threshold) then the program will add that IP address to Windows Firewall as a blocked IP.
  3. The program can also send this information to the Tier 1 Dashboard.

Usage

Important: must be run with Administrator privileges as reading Security Event Logs from Windows needs elevated privileges.

If you don't specify where to send the data, the script will still run. It just won't send any security related data anywhere. It will still block IP addresses that try to brute force into machines.

Future

We are in the process of converting this script into a daemon so that it can in the background as a Windows service. The implementation will resemble CLI applications where the user can start/stop/ query the status of the program all through CMD or Powershell like the popular DNS sinkhole PiHole: https://pi-hole.net/

About

Windows Agent written in .NET for detecting and pushing new security events to a remote server.

Topics

open-source cybersecurity siem security-analyst

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Languages