SlideShare a Scribd company logo
1
The Top 10 Windows Event ID's Used
To Catch Hackers In The Act
Michael Gough
Lead Incident Response
2
What will be covered during this talk
• Windows logs are solid gold if you know what to Enable,
Configure, Gather and Harvest. When hacked they can tell
you what you need to know to find and harvest the malware
and what occurred. This talk walks through simple commodity
malware seen in SPAM and drive-bys to a Chinese advanced
attack and what Top Windows Event Codes and
information in the logs allowed us to harvest their malware
and understand what, where and when they were doing it.
• Details of the attack from the logs and the queries used will
be covered and shared to allow you to catch a similar type of
attack. This talk will show an advanced attack at its finest, but
is designed to be Blue Team Defense in nature so you can
learn from those that deal with malware and advanced attacks
almost daily.
• What works and why will also be discussed
3
Disclaimer
The information in this presentation and
opinions are mine alone and do not reflect
those of my current or past employers.
MalwareArchaeology.com
4
INTRODUCTION
MalwareArchaeology.com
5
Who Am I
5
• Michael Gough, Malware Archaeologist
• Blue Team Ninja, Active Defense, Splunk Fu
• Blog - HackerHurricane.com
• Twitter - @HackerHurricane
• Creator of the “Malware Management Framework”
• Creator of several Logging Cheat Sheets
• “Windows Logging Cheat Sheet”
• “Windows Splunk Logging Cheat Sheet”
• “Windows File Auditing Cheat Sheet”
• “Windows Registry Auditing Cheat Sheet”
• Co-Creator of Log-MD
• LOG and Malicious Discovery tool for Malware Discovery & Incident
Response
MalwareArchaeology.com
6
Hackers, Malware and Logs
• I am a Logoholic
• I love malware, malware discovery and malware
management
• But once I find an infected system, what happened
before I found it?
• Was there more than one system involved?
• Did the Malwarian do more?
• What behavior did the system or systems have after the
initial infection?
• Who was Patient 0?
• Logs are the perfect partner to malware!
MalwareArchaeology.com
7
So why listen to me?
• I have been there
• In the worst way
• Found malware quickly
• Discovered 10 months before the Kaspersky report – June
2012
• We needed more… Who, What, Where, When and How
• We found the logs were not fully enabled or configured
and couldn’t get the data we needed
• Once the logs from endpoints were enabled and
configured, we saw all kinds of cool stuff, it showed the
How that we ALL NEED
MalwareArchaeology.com
8
8
So what is the problem
we are trying to solve?
MalwareArchaeology.com
9
You’re Next
97,000
76 Mil + 8 Mil
1000+ Businesses395
Stores
4.5 Million
25,000
4.9 Million
4.03 Million
105k trans
40 Million
40+70 Million
~ $758 Mil
33 locations
650k -
2010
76,000
670,000 1900 locations
145 Million
20,000
3 Million
35,000
60,000 alerts
990,000
56 Mil
550,000
TBD
Citigroup, E*Trade Financial
Corp., Regions Financial
Crop, HSBC Holdings and
ADP
?????
?
MalwareArchaeology.com
10
What is Coming
• Statistics showing prevalence of weaponized document attacks as top
threat in 4th quarter of 2015.
MalwareArchaeology.com
11
Why we should care
Mandiant M-Trends 2016 Report
• Numbers always tell a story, but it’s the interpretation of those numbers
that holds the real value. The median number of days an organization was
compromised in 2015 before the organization discovered the breach (or
was notified about the breach) was 146. This continues a positive
improvement since we first measured 416 days in 2012. Additionally, the
median number was 205 days in 2014, which means we witnessed a drop
of more than 50 days in 2015! Obviously, as an industry, we are getting
better at detecting breaches. On a positive note, companies that detected
the breach on their own had a median number of 56 days compromised.
The takeaway is that we are getting better as an industry, but there is still
work left to do!
• 2012 – 416 days MTTD
• 2014 – 205 days MTTD
• 2015 – 146 days MTTD
• 2015 – 56 days MTTD for companies that detected it themselves
MalwareArchaeology.com
12
Who is catching it?
MalwareArchaeology.com
Mandiant M-Trends 2016 Report
13
Compromise to Discovery
MalwareArchaeology.com
Mandiant M-Trends 2016 Report
14
Why should we care?
Let’s take a look at
real hacks caught in action
In order to understand
why we need to log things
MalwareArchaeology.com
15
An attack in the raw logs
MalwareArchaeology.com
16
Commodity malware in the raw
logs
16
MalwareArchaeology.com
17
Catch PowerShell Logging bypass
17
• These were 2015 Dridex payloads
MalwareArchaeology.com
18
You could catch a Crypto event
MalwareArchaeology.com
19
A walk through of Winnti
Winter 2014 campaign
MalwareArchaeology.com
20
Winnti – A campaign against the Gaming industry
• Kaspersky was the first to report on Winnti
• Then came the publically released report in
2013
MalwareArchaeology.com
• Followed up in 2014 with another wave of
attacks
• Now the group is expanding
• Kaspersky Report
– http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-
130410.pdf
• Novetta did a Winnti Analysis
– https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
21
Like all malware.. It and they
evolve
• First gaming
• Then Telecoms and BIG
Pharma
• Now So. Korea, UK &
Russia businesses
• We must learn and
evolve with them
MalwareArchaeology.com
22
The Malware Infection
22
Malware Launch
Hiding malware
in the Registry
Modify Service
MalwareArchaeology.com
23
Escalate permission – obvious NOT your
admin
23
Check the Service used
Modify Permissions
Push out malware using CMD Shell & CScript
MalwareArchaeology.com
24
Command Line logging is Priority
#1
24
Update Registry
Change Registry Permissions
Change permissions on files
MalwareArchaeology.com
25
Bad behavior becomes obvious
25
Doing Recon
Going after Terminal Services
Query Users
MalwareArchaeology.com
26
You can even capture their
Credentials
26
Caught THEIR
Credentials!
MalwareArchaeology.com
27
With what we have just seen
What can we do with logs?
MalwareArchaeology.com
28
More than you would have ever guessed!
•Not only detect retail PoS malware (BackOff) that
hit Target, Neiman Marcus and Michael’s
•Government sponsored malware like Regin,
Cleaver, Stuxnet, Duqu, Flamer, etc.
•Yes, even the really bad stuff like Winnti, well good
stuff to me ;-)
•You can lower your MTTD to days if not hours
•IF... you know what to look for
MalwareArchaeology.com
29
Malware Management
• Read reports from analysts, IR firms and presentations
like this
• Use the data in these reports, pull out the artifacts
• Tweak your defenses
• Lather – Rinse – Repeat
• Long list of reports at MalwareArchaeology.com
• Details found at MalwareManagementFramework.org
• Send me links to reports and your thoughts
MalwareArchaeology.com
30
Improve Security with Endpoint Data
•Great coverage with 10 events per system, not
60,000 alerts like we heard the retailers had
•If you get 10, then 20, then 30 alerts… you should
be kicking into Incident Response mode
•Of course there are more, but this is where to start
MalwareArchaeology.com
31
The Windows Logging Cheat Sheet
• 6 pages on Windows
Logging
• Details on how configure
Windows logging and
auditing
• Found at:
• MalwareArchaeology.com
Also…
• Windows Splunk Logging
Cheat Sheet
• Windows File Auditing Cheat
Sheet
• Windows Registry Auditing
Cheat Sheet
MalwareArchaeology.com
32
The 10 Windows Event ID’s
everyone must monitor and
alert on
MalwareArchaeology.com
33
The Ten Command-lets
1. 4688 - New Process – Look for the obvious malicious executables like
cscript.exe, sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe,
psexec.exe, psexecsvc.exe, ipconfig.exe, ping.exe OR powershell.exe (SET,
MetaSploit) Of course, new odd .exe’s
2. 4624 - Some account logged in. What is normal?
3. 5140 - A share was accessed. They most likely connected to the C$ share.
4. 5156 – Windows Firewall Network connection by process. Can see the
process connecting to an IP that you can use GEOIP to resolve Country,
Region and City.
5. 7040 - A new service has changed. Static systems don't change details of
services
6. 7045 - A new service is installed. Static systems don't get new services except
at patch time and new installs.
7. 4663 - File auditing must be enabled on directories you want to monitor.
8. 4657 – Registry auditing will give more Registry details than 4663 for Reg
items
9. 501 – PowerShell execution
10. 4104 – PowerShell Scriptblock module loading
MalwareArchaeology.com
34
Steps you will need to take
34
• Enable Advanced Audit Policy in Windows
• The “Windows Logging Cheat Sheet”
• Audit Process Creation = Success 4688
• Audit Logon = Success & Failure 4624 &
4625
• Audit File Share = Success 5140
• Audit File System = Success 4663
• Audit Registry = Success 4657
• Audit Filtering Platform Connection = Success 5156
(Any/Any min)
• Services already captured by System Log 7045 & 7040
• Enable and Configure to capture
• Process Command Line
• The #1 thing that will catch the nefarious ne’er-do-wellers
MalwareArchaeology.com
35
Enable Command Line
Logging
MalwareArchaeology.com
36
Windows 7 thru 2012 (Win 10 too)
"Include command line in process creation events“
• http://technet.microsoft.com/en-
us/library/dn535776.aspx
1. You must have the patch for MS15-015 (KB3031432) for Win
7 and Win 2008, From Feb 2015
2. Registry Key tweak for all versions
• SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit
• ProcessCreationIncludeCmdLine_Enabled
• to DWORD - 1
MalwareArchaeology.com
37
And you will see this added to your
logs
37
• Only a fraction more data
• Most valuable thing to log
Additional context is important
to identify abnormal behavior
MalwareArchaeology.com
38
PowerShell – Command Line
Windows PowerShell Log: Event ID 501
Details on setting PowerShell Preference variables
• http://technet.microsoft.com/en-us/library/hh847796.aspx
1. You MUST have a default Profile for all users:
• C:WindowsSystem32WindowsPowerShellv1.0Profile.ps1
2. Add these to your default profile.ps1 file
• $LogCommandHealthEvent = $true
• $LogCommandLifecycleEvent = $true
3. Upgrade PowerShell to version 4
• Investigating PowerShell Attacks (DefCon & Blackhat 2014)
• Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT
• Matt Hastings CONSULTANT, MANDIANT
MalwareArchaeology.com
39
PowerShell – Script Block Module loading
Microsoft-Windows -
PowerShell/Operational Log:
• Event ID 4104
Details on setting PowerShell Script Block and Module
logging
• http://technet.microsoft.com/en-
us/library/hh847796.aspx
1. Add these Registry keys Windows 8.1 Server 2012 and
later, Sorry no Windows 7 or Win 2008 yet:
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellModuleLogging
EnableModuleLogging= 1
HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellModuleLogging
ModuleNames = *
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellScriptBlockLogging
EnableScriptBlockLogging= 1
2. Windows Management Framework version 5 will add
more
• FireEye article on the new capabilities
• https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
MalwareArchaeology.com
40
PowerShell Logging via GPO
MalwareArchaeology.com
41
PowerShell Transcripts
• You can also specify a transcript of all PowerShell commands
executed which can be located locally or on a network share
• You can add these to your Log Management solution
• Add these Registry Keys:
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription EnableTranscription = 1
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription EnableInvocationHeader = 1
• HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription OutputDirectory = “” (Enter path. Empty = default)
MalwareArchaeology.com
42
Some tips to save on data that
you collect with your
Log Management solution
MalwareArchaeology.com
43
Do’s and Don’ts
Reducing or excluding events (save on license)
• Event ID’s 4688 & 4689 (New Process Start/Stop) and 5156
& 5158 (Windows Firewall) will be the Top 4 Events in
quantity!
• Storage and License required to gather all these events
• 4689 and 5158 CAN be excluded as least valuable that
is 50% savings
• Do NOT exclude by EventID’s that you want, exclude them
by the Message within the EventID
• I want 4688, but not splunk*.exe or googleupdate.exe, so
exclude by New_Process_Name to reduce normal noise
• I want 5156, but not things that are normal to execute, so
exclude by Application_Name
43
MalwareArchaeology.com
44
A sample query using Splunk for
the #1 alert that ALL Log
Management solutions should
MUST have
MalwareArchaeology.com
45
4688 (New Process Started)
You can add any or all Windows Admin Utilities
in System32 or SysWOW64
• index=windows source="WinEventLog:Security" (EventCode=4688) NOT (Account_Name=*$)
=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR
cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe
OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR
OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR
psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe
OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR
sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR
system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR
whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe
OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval
Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name,
Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID,
Creator_Process_ID, Short_Message
45
MalwareArchaeology.com
46
New Process Information in Splunk - Normal
46
MalwareArchaeology.com
47
New Process to Catch the PowerShell
bypass
• index=windows source="WinEventLog:Security" (EventCode=4688)
(powershell* AND -ExecutionPolicy) OR (powershell* AND bypass) OR
(powershell* AND -noprofile) | eval Message=split(Message,".") | eval
Short_Message=mvindex(Message,0) | table _time, host, Account_Name,
Process_Name, Process_ID, Process_Command_Line,
New_Process_Name, New_Process_ID, Creator_Process_ID,
Short_Message
• CRITICAL ALERT !!! Catch malware using PowerShell and executing a
policy bypass
47
MalwareArchaeology.com
48
4688 (PowerShell bypass) results in
Splunk
48
MalwareArchaeology.com
49
5156 (Win FW Connection)
Shows what process connecting to an IP
• index=windows LogName=Security EventCode=5156 NOT
(Source_Address="239.255.255.250" OR Source_Address="224.0.0.*" OR
Source_Address="::1" OR Source_Address="ff02::*" OR Source_Address="fe80::*"
OR Source_Address="255.255.255.255" OR Source_Address=192.168.1.255) NOT
(Destination_Address="127.0.0.1" OR Destination_Address="239.255.255.250" OR
Destination_Address="*.*.*.255" OR Destination_Address="224.0.0.25*") NOT
(Destination_Port="0") NOT (Application_Name=“icamsource" OR
Application_Name="*binsplunkd.exe") | dedup Destination_Address
Destination_Port | table _time, host, Application_Name, Direction, Source_Address,
Source_Port, Destination_Address, Destination_Port | sort Direction
Destination_Port
49
MalwareArchaeology.com
50
5156 - CSV output for additional processing
50
Used to track BAD IP’s
MalwareArchaeology.com
51
Windows Firewall Logging
• Set to ANY/ANY mode if Windows Firewall not used. Filter out
5158 events as these are not needed
• Do NOT disable in Root OU, put lower so you can add and remove
systems to the OU to apply this rule
• Of course enable the Win F/W everywhere and collect locally, there
is no good reason not to
• Export to CSV for manual processing or (or use LOG-MD)
• Do WhoIS lookup to resolve the Company, Country, etc.
• Create a large Whitelist of good IP’s (lookup list)
• Exclude Browsers from one search. The list of IP’s will be much
smaller for non browser executables talking to external IP’s
51
MalwareArchaeology.com
52
7045 (New Service added)
New Service has been added
• index=windows LogName=System EventCode=7045 NOT
(Service_Name=tenable_mw_scan) | eval Message=split(Message,".") |
eval Short_Message=mvindex(Message,0) | table _time host
Service_Name, Service_Type, Service_Start_Type, Service_Account,
Short_Message
• This one alert would have caught EVERY retail PoS breach!
52
MalwareArchaeology.com
53
7045 (New Service added) – In Splunk
53
MalwareArchaeology.com
54
4663 (File Auditing) 4657 (Registry)
Filter out/exclude known good noise
• index=windows sourcetype=WinEventLog:Security EventCode=4663 NOT
(Process_Name="*WindowsservicingTrustedInstaller.exe" OR
"*WindowsSystem32poqexec.exe") NOT (Object_Name="*Userssvc_acctpnp“ OR
Object_Name="C:UsersSurfAppDataLocalGoogleChromeUser Data*" NOT
Object_Name="C:UsersSurfAppDataRoamingMicrosoftWindowsRecentCustomD
estinations") NOT (Object_Name="C:WindowsSystem32LogFiles*" OR
Object_Name="*ProgramDataMicrosoftRAC*" OR
Object_Name="*MicrosoftWindowsExplorerthumbcache*" OR Object_Name="*.MAP"
OR Object_Name="*counters.dat" OR
Object_Name="*WindowsGatherlogsSystemIndex*") | rename Process_Name as
Created_By | table _time, host, Security_ID, Handle_ID, Object_Type, Object_Name,
Process_ID, Created_By, Accesses
54
MalwareArchaeology.com
55
4663 (File/Reg Auditing) – In Splunk
55
Using LOG-MD we were able to enable and expand File and Registry auditing and use the results to
tweak the audit locations to reduce noise or events that are not needed, saving on license and storage
If it were not for LOG-MD testing, we would have never caught Dridex creating a key on shutdown and
deleting that key on startup for persistence.!
File and Registry auditing for shutdown and startup is VERY
powerful
MalwareArchaeology.com
56
File and Registry Auditing tips
Add this slowly and keep it simple or you will create a lot of
noise
• Set via the GUI (Booo)
• Or use a PowerShell script, GPO, etc.
• Or by Security Policy file
• Make one for each File and Registry, apply via GPO or locally with “secedit”
• Audit only for:
• Files - WriteData (or AddFile), Create folders / append data, Change permissions,
Take ownership
• Registry – Set Value, Delete, Write DAC, Write Owner are optional
• NEW is what we want... Malware needs to be added
• Start with simple items like Run Keys, Firewall policy, keys that are HIGH value
• Remember there are 2 Cheat Sheets to help you with this
• “Windows File Auditing Cheat Sheet”
• “Windows Registry Auditing Cheat Sheet”
56
MalwareArchaeology.com
57
Other valuable queries
Add these to the list
• EventID 106 – New Scheduled job
• EventID 2004, 2005, 2006 – Windows Firewall rule added, modified
or deleted
• Exchange by Subject
• Use to find who received a reported Phishing email
• Network logs by known Bad IP
• Who visited a known Bad IP (you populate) that you discover in malware
analysis or triggered logs mentioned in previous slides
57
MalwareArchaeology.com
58
Other logging improvements
• Of course LOG-MD to help you refine your logging and expand it.
• Also great for IR tasks, lots of other features
• Sysinternals – SYSMON
• Module loading (.EXE, DLL, SYS)
• Provides Hashes of files
• Networks connections like Win FW 5156
• Windows Logging Service (WLS)
• Agent to replace your logging agent
• Provides Hashes of files
• Provides some WMI and PowerShell execution
• Replaces the need for SYSMON
MalwareArchaeology.com
59
The Windows Splunk Cheat Sheet
Just for you
• All the queries in this preso and a few more
• Some tips about filtering
• Found at:
• MalwareArchaeology.com
59
MalwareArchaeology.com
60
Resources
Websites
• MalwareArchaeology.com
• Cheat Sheets
• Malware Reports
• Log-MD.com
• Log and Malicious Discovery tool
• Malware Analysis Report links too
• To start your Malware Management program
MalwareArchaeology.com
61
Questions?
You can find me at:
• MalwareArchaeology.com
• MalwareManagementFramework.org
• HackerHurricane.com (blog)
• @HackerHurricane
• Log-MD.com
• http://www.slideshare.net
• Search for MalwareArchaeology
MalwareArchaeology.com
62
We Value Your Feedback
Please take a moment to
complete the brief session survey
inside of the app, and you’ll
receive extra points!

More Related Content

What's hot

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
Indranil Banerjee
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
Iftikhar Ali Iqbal
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
Arrow ECS UK
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
Nicola Pietroluongo
 

What's hot (20)

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
 

Viewers also liked

Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Final Project Report-SIEM
Final Project Report-SIEMFinal Project Report-SIEM
Final Project Report-SIEM
Rangan Yoga
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
Michael Gough
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
Darren Pauli
 

Viewers also liked (20)

Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014Malware Management - HouSecCon 2014
Malware Management - HouSecCon 2014
 
Logs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thiefLogs, Logs, Logs - What you need to know to catch a thief
Logs, Logs, Logs - What you need to know to catch a thief
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Final Project Report-SIEM
Final Project Report-SIEMFinal Project Report-SIEM
Final Project Report-SIEM
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 

Similar to The top 10 windows logs event id's used v1.0

Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs  SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs
AlienVault
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
Michael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
Michael Gough
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantIf We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s Important
Nathan Burke
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Wendy Knox Everette
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
Michael Gough
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
Sean Whalen
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
Rea & Associates
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing Bugcrowd
Casey Ellis
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
Osama Salah
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
Joel Cardella
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
University of Essex
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
Perforce
 

Similar to The top 10 windows logs event id's used v1.0 (20)

Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs  SpiceWorks Webinar: Whose logs, what logs, why logs
SpiceWorks Webinar: Whose logs, what logs, why logs
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantIf We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s Important
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing Bugcrowd
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015Secure Yourself, Practice what we preach - BSides Austin 2015
Secure Yourself, Practice what we preach - BSides Austin 2015
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...Are you ready for the next attack? reviewing the sp security checklist (apnic...
Are you ready for the next attack? reviewing the sp security checklist (apnic...
 
Are you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security ChecklistAre you ready for the next attack? Reviewing the SP Security Checklist
Are you ready for the next attack? Reviewing the SP Security Checklist
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 

More from Michael Gough

Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdfSophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
Michael Gough
 

More from Michael Gough (12)

Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdfSophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 

Recently uploaded

How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
Priyanka Aash
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 

Recently uploaded (20)

How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 

The top 10 windows logs event id's used v1.0

  • 1. 1 The Top 10 Windows Event ID's Used To Catch Hackers In The Act Michael Gough Lead Incident Response
  • 2. 2 What will be covered during this talk • Windows logs are solid gold if you know what to Enable, Configure, Gather and Harvest. When hacked they can tell you what you need to know to find and harvest the malware and what occurred. This talk walks through simple commodity malware seen in SPAM and drive-bys to a Chinese advanced attack and what Top Windows Event Codes and information in the logs allowed us to harvest their malware and understand what, where and when they were doing it. • Details of the attack from the logs and the queries used will be covered and shared to allow you to catch a similar type of attack. This talk will show an advanced attack at its finest, but is designed to be Blue Team Defense in nature so you can learn from those that deal with malware and advanced attacks almost daily. • What works and why will also be discussed
  • 3. 3 Disclaimer The information in this presentation and opinions are mine alone and do not reflect those of my current or past employers. MalwareArchaeology.com
  • 5. 5 Who Am I 5 • Michael Gough, Malware Archaeologist • Blue Team Ninja, Active Defense, Splunk Fu • Blog - HackerHurricane.com • Twitter - @HackerHurricane • Creator of the “Malware Management Framework” • Creator of several Logging Cheat Sheets • “Windows Logging Cheat Sheet” • “Windows Splunk Logging Cheat Sheet” • “Windows File Auditing Cheat Sheet” • “Windows Registry Auditing Cheat Sheet” • Co-Creator of Log-MD • LOG and Malicious Discovery tool for Malware Discovery & Incident Response MalwareArchaeology.com
  • 6. 6 Hackers, Malware and Logs • I am a Logoholic • I love malware, malware discovery and malware management • But once I find an infected system, what happened before I found it? • Was there more than one system involved? • Did the Malwarian do more? • What behavior did the system or systems have after the initial infection? • Who was Patient 0? • Logs are the perfect partner to malware! MalwareArchaeology.com
  • 7. 7 So why listen to me? • I have been there • In the worst way • Found malware quickly • Discovered 10 months before the Kaspersky report – June 2012 • We needed more… Who, What, Where, When and How • We found the logs were not fully enabled or configured and couldn’t get the data we needed • Once the logs from endpoints were enabled and configured, we saw all kinds of cool stuff, it showed the How that we ALL NEED MalwareArchaeology.com
  • 8. 8 8 So what is the problem we are trying to solve? MalwareArchaeology.com
  • 9. 9 You’re Next 97,000 76 Mil + 8 Mil 1000+ Businesses395 Stores 4.5 Million 25,000 4.9 Million 4.03 Million 105k trans 40 Million 40+70 Million ~ $758 Mil 33 locations 650k - 2010 76,000 670,000 1900 locations 145 Million 20,000 3 Million 35,000 60,000 alerts 990,000 56 Mil 550,000 TBD Citigroup, E*Trade Financial Corp., Regions Financial Crop, HSBC Holdings and ADP ????? ? MalwareArchaeology.com
  • 10. 10 What is Coming • Statistics showing prevalence of weaponized document attacks as top threat in 4th quarter of 2015. MalwareArchaeology.com
  • 11. 11 Why we should care Mandiant M-Trends 2016 Report • Numbers always tell a story, but it’s the interpretation of those numbers that holds the real value. The median number of days an organization was compromised in 2015 before the organization discovered the breach (or was notified about the breach) was 146. This continues a positive improvement since we first measured 416 days in 2012. Additionally, the median number was 205 days in 2014, which means we witnessed a drop of more than 50 days in 2015! Obviously, as an industry, we are getting better at detecting breaches. On a positive note, companies that detected the breach on their own had a median number of 56 days compromised. The takeaway is that we are getting better as an industry, but there is still work left to do! • 2012 – 416 days MTTD • 2014 – 205 days MTTD • 2015 – 146 days MTTD • 2015 – 56 days MTTD for companies that detected it themselves MalwareArchaeology.com
  • 12. 12 Who is catching it? MalwareArchaeology.com Mandiant M-Trends 2016 Report
  • 14. 14 Why should we care? Let’s take a look at real hacks caught in action In order to understand why we need to log things MalwareArchaeology.com
  • 15. 15 An attack in the raw logs MalwareArchaeology.com
  • 16. 16 Commodity malware in the raw logs 16 MalwareArchaeology.com
  • 17. 17 Catch PowerShell Logging bypass 17 • These were 2015 Dridex payloads MalwareArchaeology.com
  • 18. 18 You could catch a Crypto event MalwareArchaeology.com
  • 19. 19 A walk through of Winnti Winter 2014 campaign MalwareArchaeology.com
  • 20. 20 Winnti – A campaign against the Gaming industry • Kaspersky was the first to report on Winnti • Then came the publically released report in 2013 MalwareArchaeology.com • Followed up in 2014 with another wave of attacks • Now the group is expanding • Kaspersky Report – http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game- 130410.pdf • Novetta did a Winnti Analysis – https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
  • 21. 21 Like all malware.. It and they evolve • First gaming • Then Telecoms and BIG Pharma • Now So. Korea, UK & Russia businesses • We must learn and evolve with them MalwareArchaeology.com
  • 22. 22 The Malware Infection 22 Malware Launch Hiding malware in the Registry Modify Service MalwareArchaeology.com
  • 23. 23 Escalate permission – obvious NOT your admin 23 Check the Service used Modify Permissions Push out malware using CMD Shell & CScript MalwareArchaeology.com
  • 24. 24 Command Line logging is Priority #1 24 Update Registry Change Registry Permissions Change permissions on files MalwareArchaeology.com
  • 25. 25 Bad behavior becomes obvious 25 Doing Recon Going after Terminal Services Query Users MalwareArchaeology.com
  • 26. 26 You can even capture their Credentials 26 Caught THEIR Credentials! MalwareArchaeology.com
  • 27. 27 With what we have just seen What can we do with logs? MalwareArchaeology.com
  • 28. 28 More than you would have ever guessed! •Not only detect retail PoS malware (BackOff) that hit Target, Neiman Marcus and Michael’s •Government sponsored malware like Regin, Cleaver, Stuxnet, Duqu, Flamer, etc. •Yes, even the really bad stuff like Winnti, well good stuff to me ;-) •You can lower your MTTD to days if not hours •IF... you know what to look for MalwareArchaeology.com
  • 29. 29 Malware Management • Read reports from analysts, IR firms and presentations like this • Use the data in these reports, pull out the artifacts • Tweak your defenses • Lather – Rinse – Repeat • Long list of reports at MalwareArchaeology.com • Details found at MalwareManagementFramework.org • Send me links to reports and your thoughts MalwareArchaeology.com
  • 30. 30 Improve Security with Endpoint Data •Great coverage with 10 events per system, not 60,000 alerts like we heard the retailers had •If you get 10, then 20, then 30 alerts… you should be kicking into Incident Response mode •Of course there are more, but this is where to start MalwareArchaeology.com
  • 31. 31 The Windows Logging Cheat Sheet • 6 pages on Windows Logging • Details on how configure Windows logging and auditing • Found at: • MalwareArchaeology.com Also… • Windows Splunk Logging Cheat Sheet • Windows File Auditing Cheat Sheet • Windows Registry Auditing Cheat Sheet MalwareArchaeology.com
  • 32. 32 The 10 Windows Event ID’s everyone must monitor and alert on MalwareArchaeology.com
  • 33. 33 The Ten Command-lets 1. 4688 - New Process – Look for the obvious malicious executables like cscript.exe, sysprep.exe, nmap.exe, nbtstat.exe, netstat.exe, ssh.exe, psexec.exe, psexecsvc.exe, ipconfig.exe, ping.exe OR powershell.exe (SET, MetaSploit) Of course, new odd .exe’s 2. 4624 - Some account logged in. What is normal? 3. 5140 - A share was accessed. They most likely connected to the C$ share. 4. 5156 – Windows Firewall Network connection by process. Can see the process connecting to an IP that you can use GEOIP to resolve Country, Region and City. 5. 7040 - A new service has changed. Static systems don't change details of services 6. 7045 - A new service is installed. Static systems don't get new services except at patch time and new installs. 7. 4663 - File auditing must be enabled on directories you want to monitor. 8. 4657 – Registry auditing will give more Registry details than 4663 for Reg items 9. 501 – PowerShell execution 10. 4104 – PowerShell Scriptblock module loading MalwareArchaeology.com
  • 34. 34 Steps you will need to take 34 • Enable Advanced Audit Policy in Windows • The “Windows Logging Cheat Sheet” • Audit Process Creation = Success 4688 • Audit Logon = Success & Failure 4624 & 4625 • Audit File Share = Success 5140 • Audit File System = Success 4663 • Audit Registry = Success 4657 • Audit Filtering Platform Connection = Success 5156 (Any/Any min) • Services already captured by System Log 7045 & 7040 • Enable and Configure to capture • Process Command Line • The #1 thing that will catch the nefarious ne’er-do-wellers MalwareArchaeology.com
  • 36. 36 Windows 7 thru 2012 (Win 10 too) "Include command line in process creation events“ • http://technet.microsoft.com/en- us/library/dn535776.aspx 1. You must have the patch for MS15-015 (KB3031432) for Win 7 and Win 2008, From Feb 2015 2. Registry Key tweak for all versions • SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit • ProcessCreationIncludeCmdLine_Enabled • to DWORD - 1 MalwareArchaeology.com
  • 37. 37 And you will see this added to your logs 37 • Only a fraction more data • Most valuable thing to log Additional context is important to identify abnormal behavior MalwareArchaeology.com
  • 38. 38 PowerShell – Command Line Windows PowerShell Log: Event ID 501 Details on setting PowerShell Preference variables • http://technet.microsoft.com/en-us/library/hh847796.aspx 1. You MUST have a default Profile for all users: • C:WindowsSystem32WindowsPowerShellv1.0Profile.ps1 2. Add these to your default profile.ps1 file • $LogCommandHealthEvent = $true • $LogCommandLifecycleEvent = $true 3. Upgrade PowerShell to version 4 • Investigating PowerShell Attacks (DefCon & Blackhat 2014) • Ryan Kazanciyan TECHNICAL DIRECTOR, MANDIANT • Matt Hastings CONSULTANT, MANDIANT MalwareArchaeology.com
  • 39. 39 PowerShell – Script Block Module loading Microsoft-Windows - PowerShell/Operational Log: • Event ID 4104 Details on setting PowerShell Script Block and Module logging • http://technet.microsoft.com/en- us/library/hh847796.aspx 1. Add these Registry keys Windows 8.1 Server 2012 and later, Sorry no Windows 7 or Win 2008 yet: • HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellModuleLogging EnableModuleLogging= 1 HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellModuleLogging ModuleNames = * • HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellScriptBlockLogging EnableScriptBlockLogging= 1 2. Windows Management Framework version 5 will add more • FireEye article on the new capabilities • https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html MalwareArchaeology.com
  • 40. 40 PowerShell Logging via GPO MalwareArchaeology.com
  • 41. 41 PowerShell Transcripts • You can also specify a transcript of all PowerShell commands executed which can be located locally or on a network share • You can add these to your Log Management solution • Add these Registry Keys: • HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription EnableTranscription = 1 • HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription EnableInvocationHeader = 1 • HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellTranscription OutputDirectory = “” (Enter path. Empty = default) MalwareArchaeology.com
  • 42. 42 Some tips to save on data that you collect with your Log Management solution MalwareArchaeology.com
  • 43. 43 Do’s and Don’ts Reducing or excluding events (save on license) • Event ID’s 4688 & 4689 (New Process Start/Stop) and 5156 & 5158 (Windows Firewall) will be the Top 4 Events in quantity! • Storage and License required to gather all these events • 4689 and 5158 CAN be excluded as least valuable that is 50% savings • Do NOT exclude by EventID’s that you want, exclude them by the Message within the EventID • I want 4688, but not splunk*.exe or googleupdate.exe, so exclude by New_Process_Name to reduce normal noise • I want 5156, but not things that are normal to execute, so exclude by Application_Name 43 MalwareArchaeology.com
  • 44. 44 A sample query using Splunk for the #1 alert that ALL Log Management solutions should MUST have MalwareArchaeology.com
  • 45. 45 4688 (New Process Started) You can add any or all Windows Admin Utilities in System32 or SysWOW64 • index=windows source="WinEventLog:Security" (EventCode=4688) NOT (Account_Name=*$) =*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message 45 MalwareArchaeology.com
  • 46. 46 New Process Information in Splunk - Normal 46 MalwareArchaeology.com
  • 47. 47 New Process to Catch the PowerShell bypass • index=windows source="WinEventLog:Security" (EventCode=4688) (powershell* AND -ExecutionPolicy) OR (powershell* AND bypass) OR (powershell* AND -noprofile) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message • CRITICAL ALERT !!! Catch malware using PowerShell and executing a policy bypass 47 MalwareArchaeology.com
  • 48. 48 4688 (PowerShell bypass) results in Splunk 48 MalwareArchaeology.com
  • 49. 49 5156 (Win FW Connection) Shows what process connecting to an IP • index=windows LogName=Security EventCode=5156 NOT (Source_Address="239.255.255.250" OR Source_Address="224.0.0.*" OR Source_Address="::1" OR Source_Address="ff02::*" OR Source_Address="fe80::*" OR Source_Address="255.255.255.255" OR Source_Address=192.168.1.255) NOT (Destination_Address="127.0.0.1" OR Destination_Address="239.255.255.250" OR Destination_Address="*.*.*.255" OR Destination_Address="224.0.0.25*") NOT (Destination_Port="0") NOT (Application_Name=“icamsource" OR Application_Name="*binsplunkd.exe") | dedup Destination_Address Destination_Port | table _time, host, Application_Name, Direction, Source_Address, Source_Port, Destination_Address, Destination_Port | sort Direction Destination_Port 49 MalwareArchaeology.com
  • 50. 50 5156 - CSV output for additional processing 50 Used to track BAD IP’s MalwareArchaeology.com
  • 51. 51 Windows Firewall Logging • Set to ANY/ANY mode if Windows Firewall not used. Filter out 5158 events as these are not needed • Do NOT disable in Root OU, put lower so you can add and remove systems to the OU to apply this rule • Of course enable the Win F/W everywhere and collect locally, there is no good reason not to • Export to CSV for manual processing or (or use LOG-MD) • Do WhoIS lookup to resolve the Company, Country, etc. • Create a large Whitelist of good IP’s (lookup list) • Exclude Browsers from one search. The list of IP’s will be much smaller for non browser executables talking to external IP’s 51 MalwareArchaeology.com
  • 52. 52 7045 (New Service added) New Service has been added • index=windows LogName=System EventCode=7045 NOT (Service_Name=tenable_mw_scan) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message • This one alert would have caught EVERY retail PoS breach! 52 MalwareArchaeology.com
  • 53. 53 7045 (New Service added) – In Splunk 53 MalwareArchaeology.com
  • 54. 54 4663 (File Auditing) 4657 (Registry) Filter out/exclude known good noise • index=windows sourcetype=WinEventLog:Security EventCode=4663 NOT (Process_Name="*WindowsservicingTrustedInstaller.exe" OR "*WindowsSystem32poqexec.exe") NOT (Object_Name="*Userssvc_acctpnp“ OR Object_Name="C:UsersSurfAppDataLocalGoogleChromeUser Data*" NOT Object_Name="C:UsersSurfAppDataRoamingMicrosoftWindowsRecentCustomD estinations") NOT (Object_Name="C:WindowsSystem32LogFiles*" OR Object_Name="*ProgramDataMicrosoftRAC*" OR Object_Name="*MicrosoftWindowsExplorerthumbcache*" OR Object_Name="*.MAP" OR Object_Name="*counters.dat" OR Object_Name="*WindowsGatherlogsSystemIndex*") | rename Process_Name as Created_By | table _time, host, Security_ID, Handle_ID, Object_Type, Object_Name, Process_ID, Created_By, Accesses 54 MalwareArchaeology.com
  • 55. 55 4663 (File/Reg Auditing) – In Splunk 55 Using LOG-MD we were able to enable and expand File and Registry auditing and use the results to tweak the audit locations to reduce noise or events that are not needed, saving on license and storage If it were not for LOG-MD testing, we would have never caught Dridex creating a key on shutdown and deleting that key on startup for persistence.! File and Registry auditing for shutdown and startup is VERY powerful MalwareArchaeology.com
  • 56. 56 File and Registry Auditing tips Add this slowly and keep it simple or you will create a lot of noise • Set via the GUI (Booo) • Or use a PowerShell script, GPO, etc. • Or by Security Policy file • Make one for each File and Registry, apply via GPO or locally with “secedit” • Audit only for: • Files - WriteData (or AddFile), Create folders / append data, Change permissions, Take ownership • Registry – Set Value, Delete, Write DAC, Write Owner are optional • NEW is what we want... Malware needs to be added • Start with simple items like Run Keys, Firewall policy, keys that are HIGH value • Remember there are 2 Cheat Sheets to help you with this • “Windows File Auditing Cheat Sheet” • “Windows Registry Auditing Cheat Sheet” 56 MalwareArchaeology.com
  • 57. 57 Other valuable queries Add these to the list • EventID 106 – New Scheduled job • EventID 2004, 2005, 2006 – Windows Firewall rule added, modified or deleted • Exchange by Subject • Use to find who received a reported Phishing email • Network logs by known Bad IP • Who visited a known Bad IP (you populate) that you discover in malware analysis or triggered logs mentioned in previous slides 57 MalwareArchaeology.com
  • 58. 58 Other logging improvements • Of course LOG-MD to help you refine your logging and expand it. • Also great for IR tasks, lots of other features • Sysinternals – SYSMON • Module loading (.EXE, DLL, SYS) • Provides Hashes of files • Networks connections like Win FW 5156 • Windows Logging Service (WLS) • Agent to replace your logging agent • Provides Hashes of files • Provides some WMI and PowerShell execution • Replaces the need for SYSMON MalwareArchaeology.com
  • 59. 59 The Windows Splunk Cheat Sheet Just for you • All the queries in this preso and a few more • Some tips about filtering • Found at: • MalwareArchaeology.com 59 MalwareArchaeology.com
  • 60. 60 Resources Websites • MalwareArchaeology.com • Cheat Sheets • Malware Reports • Log-MD.com • Log and Malicious Discovery tool • Malware Analysis Report links too • To start your Malware Management program MalwareArchaeology.com
  • 61. 61 Questions? You can find me at: • MalwareArchaeology.com • MalwareManagementFramework.org • HackerHurricane.com (blog) • @HackerHurricane • Log-MD.com • http://www.slideshare.net • Search for MalwareArchaeology MalwareArchaeology.com
  • 62. 62 We Value Your Feedback Please take a moment to complete the brief session survey inside of the app, and you’ll receive extra points!