SlideShare uma empresa Scribd logo

Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology

Michael Gough
Michael Gough

MalwareArchaeology - What you need to know to Enable, Configure, Gather and Harvest for Windows logs.

Tecnologia
1 de 6
Baixar para ler offline
Jan 2016 ver 2.0 MalwareArchaeology.com Page 1 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 ENABLE:: 1. LOCAL LOG SIZE: Increase the size of your local logs. Don’t worry you have plenty of disk space, CPU is not an issue a. Application, System to 250k or larger b. PowerShell logs to 250k or larger c. Security Logs to 999,936k (yes this big) 2. LOCAL SECURITY POLICY: Change Security Options – “Audit: Force audit policy subcategory settings” to ENABLE. This sets the system to force use of the “Advanced Audit Policies” 3. GROUP POLICY: All settings mentioned should be set with Active Directory Group Policy in order to enforce these settings enterprise wide. There are cases where the Local Security Policy would be used. ENABLE:: 1. DNS LOGS: Enable DNS Logging. Capture what DNS queries are happening. “systemrootSystem32DnsDns.log” a. Log Packets for debugging b. Outgoing and incoming c. UDP and TCP d. Packet type Request and Response e. Queries/Transfers and updates 2. DHCP LOGS: Add your DHCP Logs – “%windir%System32Dhcp.” This will allow you to detect rogue systems on your network that fall outside your naming convention. a. EventID = 10 – New IP address was leased DEFINITIONS:: ENABLE: Things you must do to enable logging to start collecting and keeping events. CONFIGURE: Configuration that is needed to refine what events you will collect. GATHER: Tools/Utilities that you can use locally on the system to set or gather log related information – AuditPol, WEvtUtil, Find, etc. HARVEST: Events that you would want to harvest into some centralized Event log management solution like syslog, SIEM, Splunk, etc. RESOURCES: Places to get more information  MalwareArchaeology.com/cheat-sheets for more Windows cheat sheets  Log-MD.com – The Log Malicious Discovery tool reads security related log events and settings. Use Log-MD to audit your log settings compared to the “Windows Logging Cheat Sheet” and Center for Internet Security (CIS) Benchmarks. It is a standalone tool to help those with and without a log management solution find malicious activity.  www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx - Better descriptions of Event OD’s  www.EventID.Net – Most of the Event ID’s  IIS Error Codes - http://support.microsoft.com/kb/318380 - IIS Error Codes  http://cryptome.org/2014/01/nsa-windows-event.pdf - Good Article  http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx – MS Adv Security Audit Policy Descriptions  Google! – But of course This “Windows Logging Cheat Sheet” is intended to help you get started setting up basic and necessary Windows Audit Policy and Logging. By no means is this list extensive; but it does include some very common items that should be enabled, configured, gathered and harvested for any Log Management Program. Start with these settings and add to it as you understand better what is in your logs and what you need.
Jan 2016 ver 2.0 MalwareArchaeology.com Page 2 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 Windows Audit Policy settings may be set by the Local Security Policy, Group Policy (preferred) or by command line using ‘AuditPol.exe’. Be sure to select “Configure the following audit events” box on items that say “No Audit” or the policy will not apply. Any that are left blank will break the GPO and auditing will not be applied. CONFIGURE:: 1. SYSTEM AUDIT POLICIES: In order to capture what you want and need the following Advanced Audit Policies must be set. You may expand these to your specific needs, but here is a place to start. List out the System audit policy  Command: AuditPol /get /category:* Category/Subcategory Setting ------------------------------- ------------------------ Account Logon  Credential Validation Success and Failure  Kerberos Authentication Service No Auditing  Kerberos Service Ticket Oper No Auditing  Other Account Logon Events Success and Failure Account Management  Application Group Management Success and Failure  Computer Account Management Success and Failure  Distribution Group Management Success and Failure  Other Acct Management Events Success and Failure  Security Group Management Success and Failure  User Account Management Success and Failure Detailed Tracking  DPAPI Activity No Auditing  Process Creation Success and Failure  Process Termination Success and Failure  RPC Events Success and Failure DS Access  Detailed Directory Service Repl No Auditing  Directory Service Access No Auditing  Directory Service Changes Success and Failure  Directory Service Replication No Auditing Logon/Logoff  Account Lockout Success  IPsec Extended Mode No Auditing  IPsec Main Mode No Auditing  IPsec Quick Mode No Auditing  Logoff Success  Logon Success and Failure  Network Policy Server Success and Failure  Other Logon/Logoff Events Success and Failure  Special Logon Success and Failure  User / Device Claims (8/2012) No Auditing CONFIGURE:: SYSTEM AUDIT POLICIES: Continued To set an item:  Auditpol /set /category:"Account Management" /success:enable /failure:enable Category/Subcategory Setting ------------------------------- ------------------------ Object Access  Application Generated Success and Failure  Certification Services Success and Failure  Central Policy Staging (8/2012) No Auditing  Detailed File Share Success  File Share Success and Failure  File System Success  Filtering Platform Connection Success (Win FW)  Filtering Platform Packet Drop No Auditing  Handle Manipulation No Auditing  Kernel Object Success and Failure  Other Object Access Events No Auditing  Removable Storage (8/2012) Success and Failure  Registry Success  SAM No Auditing Policy Change  Audit Policy Change Success and Failure  Authentication Policy Change Success and Failure  Authorization Policy Change Success and Failure  Filtering Platform Policy Change Success (Win FW)  MPSSVC Rule-Level Policy Change No Auditing  Other Policy Change Events No Auditing Privilege Use  Non Sensitive Privilege Use No Auditing  Other Privilege Use Events No Auditing  Sensitive Privilege Use Success and Failure System  IPsec Driver Success  Other System Events Failure  Security State Change Success and Failure  Security System Extension Success and Failure  System Integrity Success and Failure Global Object Access Auditing – ignore for now
Jan 2016 ver 2.0 MalwareArchaeology.com Page 3 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 CONFIGURE:: 1. WEvtUtil: Use this utility to configure your log settings a. WevtUtil gl Security – List settings of the Security Log b. WevtUtil sl Security /ms:512000000 or /ms: 1024000000 if File & Registry auditing, Windows Firewall and Process Create are all enabled – Set the Security log size to the number of bytes c. WevtUtil sl Security /rt:false – Overwrite as needed 2. FILE AUDITING: Configuring auditing of folders and specific files will allow you to catch new file drops in key locations where commodity and advanced malware often use. To understand what, where and why to audit files and folders, refer to the “Windows File Auditing Cheat Sheet” for more detailed information. 3. REGISTRY AUDITING: Configuring auditing of registry keys will allow you to catch new keys, values and data in autorun and other locations where commodity and advanced malware often use. To understand what, where and why to audit registry keys, refer to the “Windows Registry Auditing Cheat Sheet” for more detailed information. 4. REG.EXE: Use this utility to query what is in a Key or the data within a key or value a. Query a Key and all values - Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" b. Query a Key and all values - Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce" c. Query a Key and all values - Reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" d. Query a Key and all values - Reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce" e. Query a known value of a Key: Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v malware CONFIGURE: 5. Command Line Logging: One of the most important logging items that you can collect is what was executed on the command line when something executes. Microsoft added this capability into the release of Windows 8.1 and Windows Server 2012 R2. In Feb 2015 a patch was made available to add this feature to all Windows 7 and Windows 2008 Server with the following patch:  https://support.microsoft.com/en-us/kb/3004375 - KB3004375 Patch to add Command Line Logging A registry key is required to add the “Process Command Line” entry to every event ID 4688 event. The following is the key, value and data that must be set to collect this crucial information:  "hklmsoftwaremicrosoftwindowscurrentversionpoliciessystemaudit" – Value = ProcessCreationIncludeCmdLine_Enabled - REG_DWORD = 1 You can configure it to start collecting with the following command:  reg add "hklmsoftwaremicrosoftwindowscurrentversionpoliciessystemaudit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
Jan 2016 ver 2.0 MalwareArchaeology.com Page 4 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 GATHER:: 1. AUDITPOL: Use this utility to view your current log settings a. List all Policies categories: AuditPol /List /Subcategory:* b. List what is SET: AuditPol /get /category:* c. List what is SET for a subcategory:  AuditPol /get /category:"Object Access” 2. Reg.exe: Use this utility to query the registry a. Changes to AppInit_Dlls - reg query "HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows" /v AppInit_Dlls b. Changes to Services Keys - reg query "HKLMSystemCurrentControlSetServices" c. Changes to Machine Run Key - reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun” d. Changes to Machine RunOnce Key - reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce” e. Changes to User Run Key - reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun” f. Changes to User RunOnce Key - reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce” g. 3. SC.exe: Use this utility to query the services (sc /? For help) a. List all services in any state – sc.exe query state= all (Note: ‘space’ after the = sign) b. Look for a specific service – sc.exe query state= all | find /I “telnet” c. After finding the ‘Display_Name’ then look for the ‘Service_Name’ to get the short name GATHER:: 1. WEvtUtil: Use this utility to query your logs a. WevtUtil qe Security – query the Security Log for events i. Lots of flags here so read help “WevtUtil -?” ii. /c:5 = Read 5 events iii. /rd:true = newest events first iv. /f:text = format text, also can do XML b. Success & Failed Logons - WevtUtil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /c:5 /rd:true /f:text >Parsed%computername%_Logon_Events_Win7.log c. User Account Change - WevtUtil qe Security /q:"*[System[(EventID=4738)]]" /c:5 /rd:true /f:text >ParsedR_%computername%_User_Account_Change_Win7.log d. New Service Installed - WevtUtil qe Security /q:"*[System[(EventID=7045)]]" /c:5 /rd:true /f:text >ParsedR_%computername%_New_Service_Installed_Win7.log e. User Account Changes - wevtutil qe Security /q:"*[System[(EventID=4725 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4726 or EventID=4767)]]" /c:10 /f:text 2. Filtering Log Results: Use this method to filter lines within the logs a. Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4657)]]" /c:5 /rd:true /f:text |find /i"Object Name" b. File or Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]" /c:50 /rd:true /f:text |find /i "Object Name" c. Files – Find new files with ‘Wbem’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]" /c:50 /rd:true /f:text |find /i "wbem"
Jan 2016 ver 2.0 MalwareArchaeology.com Page 5 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 HARVEST:: 1. SERVICES: Found in the SYSTEM log d. 7045 - Message=A service was installed in the system. e. 7040 - Message=The start type of the XYZ service was changed from auto start to disabled. f. 7000 - Message=The XYX service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. g. 7022 - Message=The XYZ service hung on starting. h. 7024 - Message=The XYZ service terminated with service-specific error %%2414. i. 7031 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. j. 7034 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). k. 7035 – Service sent a request to Stop or Start l. 7036 – Service was Started or Stopped HARVEST:: 1. LOG CLEAR: Watch for log clear messages a. 104 – SYSTEM Log – The Application or System log was cleared b. 1102 – SECURITY Log – The audit log was cleared 2. TASKS: Watch for a Process to start and call other processes a. 4698 – SECURITY Log – New Task Created 3. DRIVER: Watch for an issue with a driver a. 40 – Issue with Driver 4. OS VERSION: What OS do machines have a. 6009 – Lists OS version, Service Pack and processor type HARVEST:: 1. PROCESSES: Watch for a Process to start and call other processes a. 4688 – SECURITY Log – New Process Name, look for Creator Process ID to link what process launched what 2. INSTALLER: Watch for the Windows Installer activity a. 1022 – Windows Installer updated the product b. 1033 – Windows Installer installed the product c. 1034 – Windows Installer removed the product 3. WINDOWS UPDATE: Watch for the Windows Update Agent activity. a. 18 = Ready, 19 = Installed, 20= Failure 4. WINDOWS TIME: Watch for the Windows Service synchronization. Make sure your sources are what they are supposed to be. a. 35 – Time Service sync status and source 5. APPLICATION ERROR: Watch for application crashes. a. 1000 – (Application Log) Application Fault HARVEST:: 1. ACCOUNTS: Monitor for attempts to change an account password a. 4720 – A user account was created b. 4724 – An attempt was made to reset an accounts PW c. 4735 – Local Group changed d. 4738 – User account password changed HARVEST:: 1. APPLOCKER: Watch for triggers to AppLocker events (8000- 8027) a. 8004 – Filename not allowed to run 2. SRP: Watch for triggers to Software Restriction Policies b. 866 – Access to <filename> has been restricted HARVEST:: 1. AUDIT POLICY: Watch for changes to the Audit Policy that are NOT “SYSTEM” a. 4719 – System audit policy was changed
Jan 2016 ver 2.0 MalwareArchaeology.com Page 6 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 HARVEST:: 1. NEW FILE ADDED: Watch for the creation of new files. Requires File auditing of the directory(s) that you want to monitor b. 4663 – Accesses: WriteData (or AddFile) c. GREAT for CryptoWare & Malware drops HARVEST:: 1. REGISTRY: Watch for the creation or modification of new registry keys and values a. 4657 – Accesses: WriteData (or AddFile) i. HKLM, HKCU & HKU – SoftwareMicrosoftWindowsCurrentVersion 1. Run, RunOnce ii. HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows 1. Watch AppInit_Dlls iii. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt 1. Watch Connection time of USB Devices iv. HKLMSystemCurrentControlSetServices 1. Watch for NEW Services v. HKLMSYSTEMCurrentControlSetEnumUSBSTOR 1. Watch for NEW USB devices HARVEST:: 2. FIREWALL: Windows Filtering Platform - Watch for Inbound and Outbound connections – Requires Windows Firewall to be enabled a. This is the noisiest of all Events. Generating easily 9,000 - 10,000 events per hour per system b. Storage is required to utilize this event c. 5156 – Message=The Windows Filtering Platform has permitted a connection. Look for: i. Direction:, Source Address:, Source Port:, Destination Address: & Destination Port: HARVEST:: 1. REGISTRY: Monitor certain Keys for Add, Changes and Deletes. Setting auditing on the Specific keys is required. a. 4657 – A Registry value was modified HARVEST:: 1. EMAIL / VPN: Monitor for failed and successful logins to your VPN and Webmail application. Consider emailing user if login is from a new IP not in your exclude list a. sc_status=401 – Failed OWA login b. "reason = Invalid password" – Failed VPN login - Cisco HARVEST:: 1. LOGON TYPE: Monitor for what type of logons occur a. 4624 - Message=An account was successfully logged on. i. Type 2 – Interactive – GUI ii. Type 3 – Network – Net Use iii. Type 4 – Batch iv. Type 5 – Service v. Type 7 – Unlock vi. Type 8 – Network Clear Text vii. Type 9 – New Credentials (RDP Tools) viii. Type 10 – Remote Interactive (RDP) ix. Type 11 – Cached Interactive (laptops) b. 4625 - Message = An account failed to log on. HARVEST:: 1. SYSTEM INTEGRITY: Watch for files with page images with bad hashes a. 6281 – Failed – “page hashes of an image file are not valid”

Recomendados

Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 

Recomendados

Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
 

Mais conteúdo relacionado

Mais procurados

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 

Mais procurados (20)

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
 

Semelhante a Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology

Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
 
Merged document
Merged documentMerged document
Merged documentsreeja_16
 
Ws08 R2 Itpro Session 1 Technical Overview Part1
Ws08 R2 Itpro Session 1 Technical Overview Part1Ws08 R2 Itpro Session 1 Technical Overview Part1
Ws08 R2 Itpro Session 1 Technical Overview Part1chenley
 
Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...
Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...
Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...Microsoft TechNet
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policyMiguel de la Cruz
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Agentless System Crawler - InterConnect 2016
Agentless System Crawler - InterConnect 2016Agentless System Crawler - InterConnect 2016
Agentless System Crawler - InterConnect 2016Canturk Isci
 
Under New Management
Under New ManagementUnder New Management
Under New Managementukdpe
 
Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...
Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...
Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...Microsoft Private Cloud
 
PCD - Process control daemon - Presentation
PCD - Process control daemon - PresentationPCD - Process control daemon - Presentation
PCD - Process control daemon - Presentationhaish
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
 
Mdop session from Microsoft partner boot camp
Mdop session from Microsoft partner boot campMdop session from Microsoft partner boot camp
Mdop session from Microsoft partner boot campOlav Tvedt
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureHARMAN Services
 
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me ER Swapnil Raut
 

Semelhante a Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology (20)

Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
 
Merged document
Merged documentMerged document
Merged document
 
Identity finder presentation
Identity finder presentationIdentity finder presentation
Identity finder presentation
 
Ws08 R2 Itpro Session 1 Technical Overview Part1
Ws08 R2 Itpro Session 1 Technical Overview Part1Ws08 R2 Itpro Session 1 Technical Overview Part1
Ws08 R2 Itpro Session 1 Technical Overview Part1
 
Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...
Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...
Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policy
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
Agentless System Crawler - InterConnect 2016
Agentless System Crawler - InterConnect 2016Agentless System Crawler - InterConnect 2016
Agentless System Crawler - InterConnect 2016
 
Aruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guide
 
Under New Management
Under New ManagementUnder New Management
Under New Management
 
Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...
Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...
Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...
 
PCD - Process control daemon - Presentation
PCD - Process control daemon - PresentationPCD - Process control daemon - Presentation
PCD - Process control daemon - Presentation
 
Auditing Data Access in SQL Server
Auditing Data Access in SQL ServerAuditing Data Access in SQL Server
Auditing Data Access in SQL Server
 
Vistapresentation2
Vistapresentation2Vistapresentation2
Vistapresentation2
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
 
Mdop session from Microsoft partner boot camp
Mdop session from Microsoft partner boot campMdop session from Microsoft partner boot camp
Mdop session from Microsoft partner boot camp
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
 
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows File Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me
 

Mais de Michael Gough

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 

Mais de Michael Gough (20)

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 

Último

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Último (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology

  • 1. Jan 2016 ver 2.0 MalwareArchaeology.com Page 1 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 ENABLE:: 1. LOCAL LOG SIZE: Increase the size of your local logs. Don’t worry you have plenty of disk space, CPU is not an issue a. Application, System to 250k or larger b. PowerShell logs to 250k or larger c. Security Logs to 999,936k (yes this big) 2. LOCAL SECURITY POLICY: Change Security Options – “Audit: Force audit policy subcategory settings” to ENABLE. This sets the system to force use of the “Advanced Audit Policies” 3. GROUP POLICY: All settings mentioned should be set with Active Directory Group Policy in order to enforce these settings enterprise wide. There are cases where the Local Security Policy would be used. ENABLE:: 1. DNS LOGS: Enable DNS Logging. Capture what DNS queries are happening. “systemrootSystem32DnsDns.log” a. Log Packets for debugging b. Outgoing and incoming c. UDP and TCP d. Packet type Request and Response e. Queries/Transfers and updates 2. DHCP LOGS: Add your DHCP Logs – “%windir%System32Dhcp.” This will allow you to detect rogue systems on your network that fall outside your naming convention. a. EventID = 10 – New IP address was leased DEFINITIONS:: ENABLE: Things you must do to enable logging to start collecting and keeping events. CONFIGURE: Configuration that is needed to refine what events you will collect. GATHER: Tools/Utilities that you can use locally on the system to set or gather log related information – AuditPol, WEvtUtil, Find, etc. HARVEST: Events that you would want to harvest into some centralized Event log management solution like syslog, SIEM, Splunk, etc. RESOURCES: Places to get more information  MalwareArchaeology.com/cheat-sheets for more Windows cheat sheets  Log-MD.com – The Log Malicious Discovery tool reads security related log events and settings. Use Log-MD to audit your log settings compared to the “Windows Logging Cheat Sheet” and Center for Internet Security (CIS) Benchmarks. It is a standalone tool to help those with and without a log management solution find malicious activity.  www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx - Better descriptions of Event OD’s  www.EventID.Net – Most of the Event ID’s  IIS Error Codes - http://support.microsoft.com/kb/318380 - IIS Error Codes  http://cryptome.org/2014/01/nsa-windows-event.pdf - Good Article  http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx – MS Adv Security Audit Policy Descriptions  Google! – But of course This “Windows Logging Cheat Sheet” is intended to help you get started setting up basic and necessary Windows Audit Policy and Logging. By no means is this list extensive; but it does include some very common items that should be enabled, configured, gathered and harvested for any Log Management Program. Start with these settings and add to it as you understand better what is in your logs and what you need.
  • 2. Jan 2016 ver 2.0 MalwareArchaeology.com Page 2 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 Windows Audit Policy settings may be set by the Local Security Policy, Group Policy (preferred) or by command line using ‘AuditPol.exe’. Be sure to select “Configure the following audit events” box on items that say “No Audit” or the policy will not apply. Any that are left blank will break the GPO and auditing will not be applied. CONFIGURE:: 1. SYSTEM AUDIT POLICIES: In order to capture what you want and need the following Advanced Audit Policies must be set. You may expand these to your specific needs, but here is a place to start. List out the System audit policy  Command: AuditPol /get /category:* Category/Subcategory Setting ------------------------------- ------------------------ Account Logon  Credential Validation Success and Failure  Kerberos Authentication Service No Auditing  Kerberos Service Ticket Oper No Auditing  Other Account Logon Events Success and Failure Account Management  Application Group Management Success and Failure  Computer Account Management Success and Failure  Distribution Group Management Success and Failure  Other Acct Management Events Success and Failure  Security Group Management Success and Failure  User Account Management Success and Failure Detailed Tracking  DPAPI Activity No Auditing  Process Creation Success and Failure  Process Termination Success and Failure  RPC Events Success and Failure DS Access  Detailed Directory Service Repl No Auditing  Directory Service Access No Auditing  Directory Service Changes Success and Failure  Directory Service Replication No Auditing Logon/Logoff  Account Lockout Success  IPsec Extended Mode No Auditing  IPsec Main Mode No Auditing  IPsec Quick Mode No Auditing  Logoff Success  Logon Success and Failure  Network Policy Server Success and Failure  Other Logon/Logoff Events Success and Failure  Special Logon Success and Failure  User / Device Claims (8/2012) No Auditing CONFIGURE:: SYSTEM AUDIT POLICIES: Continued To set an item:  Auditpol /set /category:"Account Management" /success:enable /failure:enable Category/Subcategory Setting ------------------------------- ------------------------ Object Access  Application Generated Success and Failure  Certification Services Success and Failure  Central Policy Staging (8/2012) No Auditing  Detailed File Share Success  File Share Success and Failure  File System Success  Filtering Platform Connection Success (Win FW)  Filtering Platform Packet Drop No Auditing  Handle Manipulation No Auditing  Kernel Object Success and Failure  Other Object Access Events No Auditing  Removable Storage (8/2012) Success and Failure  Registry Success  SAM No Auditing Policy Change  Audit Policy Change Success and Failure  Authentication Policy Change Success and Failure  Authorization Policy Change Success and Failure  Filtering Platform Policy Change Success (Win FW)  MPSSVC Rule-Level Policy Change No Auditing  Other Policy Change Events No Auditing Privilege Use  Non Sensitive Privilege Use No Auditing  Other Privilege Use Events No Auditing  Sensitive Privilege Use Success and Failure System  IPsec Driver Success  Other System Events Failure  Security State Change Success and Failure  Security System Extension Success and Failure  System Integrity Success and Failure Global Object Access Auditing – ignore for now
  • 3. Jan 2016 ver 2.0 MalwareArchaeology.com Page 3 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 CONFIGURE:: 1. WEvtUtil: Use this utility to configure your log settings a. WevtUtil gl Security – List settings of the Security Log b. WevtUtil sl Security /ms:512000000 or /ms: 1024000000 if File & Registry auditing, Windows Firewall and Process Create are all enabled – Set the Security log size to the number of bytes c. WevtUtil sl Security /rt:false – Overwrite as needed 2. FILE AUDITING: Configuring auditing of folders and specific files will allow you to catch new file drops in key locations where commodity and advanced malware often use. To understand what, where and why to audit files and folders, refer to the “Windows File Auditing Cheat Sheet” for more detailed information. 3. REGISTRY AUDITING: Configuring auditing of registry keys will allow you to catch new keys, values and data in autorun and other locations where commodity and advanced malware often use. To understand what, where and why to audit registry keys, refer to the “Windows Registry Auditing Cheat Sheet” for more detailed information. 4. REG.EXE: Use this utility to query what is in a Key or the data within a key or value a. Query a Key and all values - Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" b. Query a Key and all values - Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce" c. Query a Key and all values - Reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" d. Query a Key and all values - Reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce" e. Query a known value of a Key: Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v malware CONFIGURE: 5. Command Line Logging: One of the most important logging items that you can collect is what was executed on the command line when something executes. Microsoft added this capability into the release of Windows 8.1 and Windows Server 2012 R2. In Feb 2015 a patch was made available to add this feature to all Windows 7 and Windows 2008 Server with the following patch:  https://support.microsoft.com/en-us/kb/3004375 - KB3004375 Patch to add Command Line Logging A registry key is required to add the “Process Command Line” entry to every event ID 4688 event. The following is the key, value and data that must be set to collect this crucial information:  "hklmsoftwaremicrosoftwindowscurrentversionpoliciessystemaudit" – Value = ProcessCreationIncludeCmdLine_Enabled - REG_DWORD = 1 You can configure it to start collecting with the following command:  reg add "hklmsoftwaremicrosoftwindowscurrentversionpoliciessystemaudit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
  • 4. Jan 2016 ver 2.0 MalwareArchaeology.com Page 4 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 GATHER:: 1. AUDITPOL: Use this utility to view your current log settings a. List all Policies categories: AuditPol /List /Subcategory:* b. List what is SET: AuditPol /get /category:* c. List what is SET for a subcategory:  AuditPol /get /category:"Object Access” 2. Reg.exe: Use this utility to query the registry a. Changes to AppInit_Dlls - reg query "HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows" /v AppInit_Dlls b. Changes to Services Keys - reg query "HKLMSystemCurrentControlSetServices" c. Changes to Machine Run Key - reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun” d. Changes to Machine RunOnce Key - reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce” e. Changes to User Run Key - reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun” f. Changes to User RunOnce Key - reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce” g. 3. SC.exe: Use this utility to query the services (sc /? For help) a. List all services in any state – sc.exe query state= all (Note: ‘space’ after the = sign) b. Look for a specific service – sc.exe query state= all | find /I “telnet” c. After finding the ‘Display_Name’ then look for the ‘Service_Name’ to get the short name GATHER:: 1. WEvtUtil: Use this utility to query your logs a. WevtUtil qe Security – query the Security Log for events i. Lots of flags here so read help “WevtUtil -?” ii. /c:5 = Read 5 events iii. /rd:true = newest events first iv. /f:text = format text, also can do XML b. Success & Failed Logons - WevtUtil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /c:5 /rd:true /f:text >Parsed%computername%_Logon_Events_Win7.log c. User Account Change - WevtUtil qe Security /q:"*[System[(EventID=4738)]]" /c:5 /rd:true /f:text >ParsedR_%computername%_User_Account_Change_Win7.log d. New Service Installed - WevtUtil qe Security /q:"*[System[(EventID=7045)]]" /c:5 /rd:true /f:text >ParsedR_%computername%_New_Service_Installed_Win7.log e. User Account Changes - wevtutil qe Security /q:"*[System[(EventID=4725 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4726 or EventID=4767)]]" /c:10 /f:text 2. Filtering Log Results: Use this method to filter lines within the logs a. Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4657)]]" /c:5 /rd:true /f:text |find /i"Object Name" b. File or Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]" /c:50 /rd:true /f:text |find /i "Object Name" c. Files – Find new files with ‘Wbem’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]" /c:50 /rd:true /f:text |find /i "wbem"
  • 5. Jan 2016 ver 2.0 MalwareArchaeology.com Page 5 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 HARVEST:: 1. SERVICES: Found in the SYSTEM log d. 7045 - Message=A service was installed in the system. e. 7040 - Message=The start type of the XYZ service was changed from auto start to disabled. f. 7000 - Message=The XYX service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. g. 7022 - Message=The XYZ service hung on starting. h. 7024 - Message=The XYZ service terminated with service-specific error %%2414. i. 7031 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. j. 7034 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). k. 7035 – Service sent a request to Stop or Start l. 7036 – Service was Started or Stopped HARVEST:: 1. LOG CLEAR: Watch for log clear messages a. 104 – SYSTEM Log – The Application or System log was cleared b. 1102 – SECURITY Log – The audit log was cleared 2. TASKS: Watch for a Process to start and call other processes a. 4698 – SECURITY Log – New Task Created 3. DRIVER: Watch for an issue with a driver a. 40 – Issue with Driver 4. OS VERSION: What OS do machines have a. 6009 – Lists OS version, Service Pack and processor type HARVEST:: 1. PROCESSES: Watch for a Process to start and call other processes a. 4688 – SECURITY Log – New Process Name, look for Creator Process ID to link what process launched what 2. INSTALLER: Watch for the Windows Installer activity a. 1022 – Windows Installer updated the product b. 1033 – Windows Installer installed the product c. 1034 – Windows Installer removed the product 3. WINDOWS UPDATE: Watch for the Windows Update Agent activity. a. 18 = Ready, 19 = Installed, 20= Failure 4. WINDOWS TIME: Watch for the Windows Service synchronization. Make sure your sources are what they are supposed to be. a. 35 – Time Service sync status and source 5. APPLICATION ERROR: Watch for application crashes. a. 1000 – (Application Log) Application Fault HARVEST:: 1. ACCOUNTS: Monitor for attempts to change an account password a. 4720 – A user account was created b. 4724 – An attempt was made to reset an accounts PW c. 4735 – Local Group changed d. 4738 – User account password changed HARVEST:: 1. APPLOCKER: Watch for triggers to AppLocker events (8000- 8027) a. 8004 – Filename not allowed to run 2. SRP: Watch for triggers to Software Restriction Policies b. 866 – Access to <filename> has been restricted HARVEST:: 1. AUDIT POLICY: Watch for changes to the Audit Policy that are NOT “SYSTEM” a. 4719 – System audit policy was changed
  • 6. Jan 2016 ver 2.0 MalwareArchaeology.com Page 6 of 6 WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012 HARVEST:: 1. NEW FILE ADDED: Watch for the creation of new files. Requires File auditing of the directory(s) that you want to monitor b. 4663 – Accesses: WriteData (or AddFile) c. GREAT for CryptoWare & Malware drops HARVEST:: 1. REGISTRY: Watch for the creation or modification of new registry keys and values a. 4657 – Accesses: WriteData (or AddFile) i. HKLM, HKCU & HKU – SoftwareMicrosoftWindowsCurrentVersion 1. Run, RunOnce ii. HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows 1. Watch AppInit_Dlls iii. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt 1. Watch Connection time of USB Devices iv. HKLMSystemCurrentControlSetServices 1. Watch for NEW Services v. HKLMSYSTEMCurrentControlSetEnumUSBSTOR 1. Watch for NEW USB devices HARVEST:: 2. FIREWALL: Windows Filtering Platform - Watch for Inbound and Outbound connections – Requires Windows Firewall to be enabled a. This is the noisiest of all Events. Generating easily 9,000 - 10,000 events per hour per system b. Storage is required to utilize this event c. 5156 – Message=The Windows Filtering Platform has permitted a connection. Look for: i. Direction:, Source Address:, Source Port:, Destination Address: & Destination Port: HARVEST:: 1. REGISTRY: Monitor certain Keys for Add, Changes and Deletes. Setting auditing on the Specific keys is required. a. 4657 – A Registry value was modified HARVEST:: 1. EMAIL / VPN: Monitor for failed and successful logins to your VPN and Webmail application. Consider emailing user if login is from a new IP not in your exclude list a. sc_status=401 – Failed OWA login b. "reason = Invalid password" – Failed VPN login - Cisco HARVEST:: 1. LOGON TYPE: Monitor for what type of logons occur a. 4624 - Message=An account was successfully logged on. i. Type 2 – Interactive – GUI ii. Type 3 – Network – Net Use iii. Type 4 – Batch iv. Type 5 – Service v. Type 7 – Unlock vi. Type 8 – Network Clear Text vii. Type 9 – New Credentials (RDP Tools) viii. Type 10 – Remote Interactive (RDP) ix. Type 11 – Cached Interactive (laptops) b. 4625 - Message = An account failed to log on. HARVEST:: 1. SYSTEM INTEGRITY: Watch for files with page images with bad hashes a. 6281 – Failed – “page hashes of an image file are not valid”