The document discusses using Windows event logs to detect advanced attacks and malware. It provides the following key points:
1. Six main Windows event IDs (4688, 4624, 5140, 5156, 7045, 4663) can be monitored and alerted on to detect a variety of malware and hacker activity.
2. Real examples are shown of how logs caught commodity malware, PowerShell logging bypasses, and the multi-stage WinNTI attack in action.
3. Tips are provided on enabling command line logging, using lookup lists to reduce noise, and sample Splunk queries to analyze key events like new processes started and logon activity.
4. Attendees
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
The document discusses threat hunting techniques using Splunk, including an overview of threat hunting basics, data sources for threat hunting, and Lockheed Martin's Cyber Kill Chain model. It provides examples of using endpoint data to hunt for threats across the kill chain by analyzing processes, communications, and file artifacts in a demo dataset. Advanced techniques discussed include hunting for SQL injection attacks and lateral movement.
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
The document discusses using Windows event logs to detect advanced attacks and malware. It provides the following key points:
1. Six main Windows event IDs (4688, 4624, 5140, 5156, 7045, 4663) can be monitored and alerted on to detect a variety of malware and hacker activity.
2. Real examples are shown of how logs caught commodity malware, PowerShell logging bypasses, and the multi-stage WinNTI attack in action.
3. Tips are provided on enabling command line logging, using lookup lists to reduce noise, and sample Splunk queries to analyze key events like new processes started and logon activity.
4. Attendees
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
The document discusses threat hunting techniques using Splunk, including an overview of threat hunting basics, data sources for threat hunting, and Lockheed Martin's Cyber Kill Chain model. It provides examples of using endpoint data to hunt for threats across the kill chain by analyzing processes, communications, and file artifacts in a demo dataset. Advanced techniques discussed include hunting for SQL injection attacks and lateral movement.
The Windows Logging Cheat Sheet is the definitive guide on learning where to start with Windows Logging. How to Enable, Configure, Gather and Harvest events so you can catch a hacker in the act.
The document provides biographies and background information on two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
This document summarizes information about the Windows Registry including its structure, tools used to access it, locations of hive files, and types of evidence that can be extracted including search history, recent documents, dialog boxes used, commands executed, and software/OS versions. It explains registry hives like HKEY_LOCAL_MACHINE, keys with MRU lists that track recently used items, and how timestamps and MRU lists can help determine the order and time of user activity on a system.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
On December 9th, researchers uncovered a zero-day critical vulnerability in the Apache Log4j library used by millions of Java applications. CVE-2021-44228 or “Log4Shell” is a RCE vulnerability that allows attackers to execute arbitrary code and potentially take full control over an infected system. The vulnerability has been ranked a 10/10 on the CVSSv3 severity scale.
While the Apache Foundation has already released a patch for this CVE, it can take weeks or months for vendors to update their software, and there are already widespread scans being conducted by malicious attackers to exploit Log4Shell.
What should companies or organizations do?
Join Marco Preuss, Head of Europe’s Global Research and Analysis (GReAT) team, Marc Rivero and Dan Demeter, Senior Security Researchers with GReAT, for an in-depth discussion on Log4Shell and a live Q&A session.
To see the full webinar, please visit: https://securelist.com/webinars/log4shell-vulnerability-how-to-stay-secure/?utm_source=Slideshare&utm_medium=partner&utm_campaign=gl_jespo_je0066&utm_content=link&utm_term=gl_Slideshare_organic_s966w1tou5a0snh
This document summarizes a security analyst toolset workshop. It lists various online tools and services for security analysis tasks like investigating file samples, hashes, domains, IPs, and extracting strings. Tools covered include URL scanners, passive DNS tools, Shodan, Virustotal, hybrid analysis, Any.Run, Cybereason Iris, Antivirus event analysis, and more. Twitter, pastebin, and other open sources are also mentioned for threat hunting and monitoring.
This document discusses threat hunting using the Cyber Kill Chain model. It describes each stage of the kill chain - reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions. It provides examples of detecting activities at each stage, such as detecting suspicious website access, newly observed domains, and known exploits. The document also mentions related frameworks like MITRE ATT&CK and indicators of compromise.
The document discusses Windows forensic analysis fundamentals. It covers forensic artifacts including volatile artifacts like memory and process information, and non-volatile artifacts like the Windows file system, registry hives, and event logs. It discusses Windows process genealogy, the Windows registry including important hive locations, and common Windows artifacts related to program execution, deleted files, network activity, file access, account usage, external devices, browsing history, and file downloads. The presentation aims to provide an overview of Windows forensic analysis and correlating artifact information to build timelines and answer questions about system activity.
This document provides an introduction to Metasploit, a penetration testing platform used to find, exploit, and validate vulnerabilities. It discusses how to create an Android payload file using msfvenom, send it to a target device, and use Metasploit to interact with the device after payload execution. The document also lists some advantages and disadvantages of Metasploit and references used.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
This document provides guidance on threat hunting by detailing indicators of compromise and threat hunting scenarios. It lists 15 common indicators of threat attacks such as unusual outbound network traffic, anomalies in privileged user account activity, and signs of distributed denial of service activity. It then describes threat hunting scenarios involving suspicious registry changes, unexpected patching, and anomalous DNS behavior. The document aims to help operationalize threat hunting through monitoring these indicators and investigating associated scenarios.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
This document provides a cheat sheet for configuring Windows logging and auditing settings on Windows 7 through Windows 2012 systems. It includes instructions for increasing log sizes, enabling specific audit policies and event logging, and harvesting important security-related events from the logs. The goal is to capture essential system activity like processes, services, authentication events and changes to files, registry keys and more to aid in detecting malicious behavior.
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
The document provides a cheat sheet for auditing the Windows registry in order to detect malware. It defines important registry keys like HKCU, HKU, and HKLM. It recommends enabling auditing for specific registry keys that are common locations for malware to establish persistence or auto-launch capabilities. The cheat sheet lists registry keys under HKU and HKCU that should have auditing enabled on the key itself or on the key and subkeys. It provides instructions on how to configure auditing for a key to log value changes, subkey creations, deletions and permission/ownership changes.
The document provides biographies and background information on two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
This document summarizes information about the Windows Registry including its structure, tools used to access it, locations of hive files, and types of evidence that can be extracted including search history, recent documents, dialog boxes used, commands executed, and software/OS versions. It explains registry hives like HKEY_LOCAL_MACHINE, keys with MRU lists that track recently used items, and how timestamps and MRU lists can help determine the order and time of user activity on a system.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
On December 9th, researchers uncovered a zero-day critical vulnerability in the Apache Log4j library used by millions of Java applications. CVE-2021-44228 or “Log4Shell” is a RCE vulnerability that allows attackers to execute arbitrary code and potentially take full control over an infected system. The vulnerability has been ranked a 10/10 on the CVSSv3 severity scale.
While the Apache Foundation has already released a patch for this CVE, it can take weeks or months for vendors to update their software, and there are already widespread scans being conducted by malicious attackers to exploit Log4Shell.
What should companies or organizations do?
Join Marco Preuss, Head of Europe’s Global Research and Analysis (GReAT) team, Marc Rivero and Dan Demeter, Senior Security Researchers with GReAT, for an in-depth discussion on Log4Shell and a live Q&A session.
To see the full webinar, please visit: https://securelist.com/webinars/log4shell-vulnerability-how-to-stay-secure/?utm_source=Slideshare&utm_medium=partner&utm_campaign=gl_jespo_je0066&utm_content=link&utm_term=gl_Slideshare_organic_s966w1tou5a0snh
This document summarizes a security analyst toolset workshop. It lists various online tools and services for security analysis tasks like investigating file samples, hashes, domains, IPs, and extracting strings. Tools covered include URL scanners, passive DNS tools, Shodan, Virustotal, hybrid analysis, Any.Run, Cybereason Iris, Antivirus event analysis, and more. Twitter, pastebin, and other open sources are also mentioned for threat hunting and monitoring.
This document discusses threat hunting using the Cyber Kill Chain model. It describes each stage of the kill chain - reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions. It provides examples of detecting activities at each stage, such as detecting suspicious website access, newly observed domains, and known exploits. The document also mentions related frameworks like MITRE ATT&CK and indicators of compromise.
The document discusses Windows forensic analysis fundamentals. It covers forensic artifacts including volatile artifacts like memory and process information, and non-volatile artifacts like the Windows file system, registry hives, and event logs. It discusses Windows process genealogy, the Windows registry including important hive locations, and common Windows artifacts related to program execution, deleted files, network activity, file access, account usage, external devices, browsing history, and file downloads. The presentation aims to provide an overview of Windows forensic analysis and correlating artifact information to build timelines and answer questions about system activity.
This document provides an introduction to Metasploit, a penetration testing platform used to find, exploit, and validate vulnerabilities. It discusses how to create an Android payload file using msfvenom, send it to a target device, and use Metasploit to interact with the device after payload execution. The document also lists some advantages and disadvantages of Metasploit and references used.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
This document provides guidance on threat hunting by detailing indicators of compromise and threat hunting scenarios. It lists 15 common indicators of threat attacks such as unusual outbound network traffic, anomalies in privileged user account activity, and signs of distributed denial of service activity. It then describes threat hunting scenarios involving suspicious registry changes, unexpected patching, and anomalous DNS behavior. The document aims to help operationalize threat hunting through monitoring these indicators and investigating associated scenarios.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
This document provides a cheat sheet for configuring Windows logging and auditing settings on Windows 7 through Windows 2012 systems. It includes instructions for increasing log sizes, enabling specific audit policies and event logging, and harvesting important security-related events from the logs. The goal is to capture essential system activity like processes, services, authentication events and changes to files, registry keys and more to aid in detecting malicious behavior.
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyMichael Gough
The document provides a cheat sheet for auditing the Windows registry in order to detect malware. It defines important registry keys like HKCU, HKU, and HKLM. It recommends enabling auditing for specific registry keys that are common locations for malware to establish persistence or auto-launch capabilities. The cheat sheet lists registry keys under HKU and HKCU that should have auditing enabled on the key itself or on the key and subkeys. It provides instructions on how to configure auditing for a key to log value changes, subkey creations, deletions and permission/ownership changes.
This document summarizes the analysis of Windows event log files. It discusses how to view event logs using the Event Viewer and export logs. It also describes using log parsing tools like Log Parser Lizard and Log Parser 2.2 to query error, warning and other event types from system logs. Specific event IDs are analyzed, like DCOM errors, service failures, DNS issues and hard disk errors. Methods to resolve issues causing these events are provided.
The document provides an overview of rolling out the CO Identity Finder software, including developing a project plan, installing the required software and licenses, configuring policies and settings in the Identity Finder console, deploying the client software, and utilizing new workflow features to automatically assign results based on defined criteria. Details are given on hardware, software, and network requirements for installing the Identity Finder console, as well as recommendations for specific policy settings and how settings priorities are determined.
Windows Server 2008 R2 includes improvements to Active Directory, Windows PowerShell 2.0, power management, group policy, and the new File Classification Infrastructure. It focuses on areas like virtualization, management, Hyper-V, and service-oriented architecture. New features include Best Practice Analyzers, the Active Directory Recycle Bin, Active Directory Administrative Center, and enhancements to group policies and Windows PowerShell for administration and automation.
Automating Desktop Management with Windows Powershell V2.0 and Group Policy M...Microsoft TechNet
This session will explore the new Windows Powershell v2.0 features and how to automate administrative tasks in Windows 7. We will examine the new Windows Powershell cmdlets and show you how to remotely manage desktop systems throughout the organization. Then we will use Windows Powershell with WMI to monitor and retrieve system status and execute changes. Finally, we will use Windows Powershell Group Policy Object cmdlets to automate management of Group Policy Objects and the configuration of registry-based settings.
Managing security settings in windows server with group policyMiguel de la Cruz
This document discusses how to use Group Policy in Windows Server to define security configurations and manage security settings. It provides guidance on setting up security auditing through Group Policy to log events and monitor access. It describes how to configure audit settings for specific event categories, apply auditing to local files/folders, and view the security log to check audited events. The aim is to help IT professionals and users understand how to enhance security and network administration using Windows auditing technologies.
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
Presented at SHARE Denver 2009. Why is Linux auditing needed? What can it do for me? How does it work? What events get audited? How do I make sense of all the data?
Agentless System Crawler - InterConnect 2016Canturk Isci
IBM speaker guidelines mandate including forward-looking and legal disclaimer slides in presentations. All presentations must include mandatory notices and disclaimers slides before the conclusion. Speakers should refer to additional legal guidance documents and have materials reviewed by legal if concerned. Final presentations are due by February 5th, 2016 and must follow a specific file naming convention. Disclosures for forward-looking statements are available at a specified link. Instructions should be removed before finalizing presentations.
The ClearPass Policy Manager dashboard provides system administrators with visual summaries of network access requests, device health statuses, authentication results, and top device types. It displays weekly and daily graphs of total requests, healthy/unhealthy requests, and successful/failed authentications. Recent authentication and event logs are also shown. Quick links allow navigating to key configuration and monitoring areas. The cluster status widget indicates the health and resource usage of each ClearPass node.
This is a high level overview of Microsoft Office SharePoint Server 2007 (MOSS) for technical decision makers and IT managers. It covers all sections of the technology from a product marketing point of view and gives a broad understanding of its usage scenarios and applications.
Microsoft Windows Server 2008 R2 - AD RMS Bulk Protection Tool and File Class...Microsoft Private Cloud
This document provides step-by-step instructions for deploying the AD RMS Bulk Protection Tool in conjunction with Windows Server 2008 R2 File Classification Infrastructure (FCI) in a test environment. It outlines 22 steps to set up user and group accounts, install and configure FCI and the AD RMS tool, create file shares and classification rules, and test the implementation. The goal is to automatically apply AD RMS rights policies based on file classifications determined by FCI rules.
PCD – Process Control Daemon is a light-weight system level process manager for Embedded-Linux based projects (consumer electronics, network devices, etc.).
PCD starts, stops and monitors all the user space processes in the system, in a synchronized manner, using a textual configuration file.
PCD recovers the system in case of errors and provides useful and detailed debug information.
This document provides an overview of auditing data access in SQL Server. It discusses various methods for auditing such as using common criteria, SQL Trace, DML triggers, temporal tables, and implementing SQL Server Audit. SQL Server Audit is described as the primary auditing tool in SQL Server that can track both server and database level events. Considerations for implementing and managing SQL Server Audit are also covered.
The document discusses tools and processes for deploying Windows Server 2008 and Windows Vista business desktops. It covers planning tools like the Windows Assessment Toolkit, Application Compatibility Toolkit, and User State Migration Tool. It also discusses building tools like Windows PE, Sysprep, and ImageX. Deployment tools covered include Windows Deployment Services and System Center Configuration Manager. Guidelines are provided for all phases of desktop deployment.
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
The document discusses how Security Content Automation Protocol (SCAP) is making security compliance easier. It summarizes that SCAP allows automated compliance checks of systems through profiles that can remediate configurations with a single command. Live demos show using SCAP for installation, scanning systems, and remediating any issues in real-time.
Mdop session from Microsoft partner boot campOlav Tvedt
This document summarizes Advanced Group Policy Management (AGPM), a tool that enhances group policy management in Microsoft environments. AGPM provides versioning, history, and rollback of group policy changes. It enables change management workflows and role-based administration with delegation controls. Customers report that AGPM gives them better control over group policies and reduces downtime from misconfigured policies. The architecture involves a server component that stores backups of group policy objects and an administrative client.
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureHARMAN Services
Slides from our #GoCloudWebinar series. In this presentation, you will learn how to incorporate the necessary diagnostic tools into your application so you can monitor and take action on your Azure applications. Michael Collier, Principal Cloud Architect at Aditi and our guest speaker, Mike Wood, Technical Evangelist at Cerebrata give you insights on how to best troubleshoot your Microsoft Azure applications.
This document discusses Manage Engine's Eventlog Analyzer product. It provides an overview of the software, including its editions, system requirements, installation process, and key features. The features section describes the various logs and reports that can be monitored and generated, including dashboards, security logs, application logs, compliance reports, user monitoring, and alert capabilities. It also outlines the configuration options for managing hosts, applications, importing/archiving data, scheduling reports, and customizing alerts and filters.
Similar to Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology (20)
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
This document discusses fileless or memory-based malware that exists only in memory and provides recommendations for detecting and responding to it. It recommends:
1. Developing a process to monitor running processes and modules for signs of injection or unauthorized code. Tools like Log-MD-Premium can help detect these memory-only infections.
2. Enabling detailed process logging, especially of command lines, to provide visibility. Detections and hunting can then focus on suspicious process activity.
3. Extracting and analyzing files from memory dumps or live systems to identify malware artifacts and indicators through static file evaluation and string analysis.
This document provides information on detecting WMI exploitation. It discusses how WMI can be used by adversaries to remotely execute payloads, persist, query systems, and more. It outlines various ways WMI is exploited, including installing malicious MOF files and DLLs. The document recommends enabling specific Windows event logs and logging options to detect WMI activity, such as Process Creation, Authentication, and PowerShell logs. It also discusses tools that can help hunt for WMI exploitation like LOG-MD, Sysinternals AutoRuns, and WMI Explorer.
This PowerShell command uses many odd characters and variable names to obfuscate its intent, which is typically seen with malware. It likely downloads additional payloads or malware to the system. Logging and monitoring PowerShell activity can help detect this type of obfuscated command.
This document discusses defending against ransomware and provides recommendations. It begins by establishing the problem of ransomware growth and costs. It then recommends (1) blocking common file types at email gateways and Outlook, (2) blocking macros in Office documents, (3) changing file associations of script types to open in Notepad instead of executing, (4) using Group Policy to prevent changes from Windows updates, and (5) disabling dangerous Word features like DDE links. Implementing these free solutions can help block the majority of ransomware attacks.
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
This document discusses the presenter's testing of various EDR and EPP solutions using three malware samples. Key findings include:
1) Many solutions failed to detect infections, even those detected by the presenter's IPS. Detection was weakest for "fileless" Kovter and morphing Dridex malware.
2) Solutions provided inadequate details to fully remediate infections. The presenter's own LOG-MD tool outperformed EDR solutions in revealing infection artifacts.
3) Based on the results, the presenter recommends that EDR tools integrate capabilities to remotely run third-party tools like LOG-MD for more thorough investigations. Simpler consoles are also needed to distribute workload across security
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
Email is the primary way that malware infiltrates systems. By default, Windows allows dangerous file types like scripts to execute when double-clicked, enabling malware. However, several simple changes can significantly reduce this risk. First, block common file types from email attachments and change their associations to open in Notepad instead of executing. Second, enable macros blocking in Office and tweak registry settings. Third, monitor for encrypted emails and evaluate any attachments. Together these low-effort changes can prevent the majority of malware delivered by email.
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
GraphRAG for Life Science to increase LLM accuracy
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
1. Jan 2016 ver 2.0 MalwareArchaeology.com Page 1 of 6
WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012
ENABLE::
1. LOCAL LOG SIZE: Increase the size of your local logs. Don’t
worry you have plenty of disk space, CPU is not an issue
a. Application, System to 250k or larger
b. PowerShell logs to 250k or larger
c. Security Logs to 999,936k (yes this big)
2. LOCAL SECURITY POLICY: Change Security Options –
“Audit: Force audit policy subcategory settings” to
ENABLE. This sets the system to force use of the
“Advanced Audit Policies”
3. GROUP POLICY: All settings mentioned should be set with
Active Directory Group Policy in order to enforce these
settings enterprise wide. There are cases where the Local
Security Policy would be used.
ENABLE::
1. DNS LOGS: Enable DNS Logging. Capture what DNS
queries are happening.
“systemrootSystem32DnsDns.log”
a. Log Packets for debugging
b. Outgoing and incoming
c. UDP and TCP
d. Packet type Request and Response
e. Queries/Transfers and updates
2. DHCP LOGS: Add your DHCP Logs –
“%windir%System32Dhcp.” This will allow you to
detect rogue systems on your network that fall
outside your naming convention.
a. EventID = 10 – New IP address was leased
DEFINITIONS::
ENABLE: Things you must do to enable logging to start collecting and keeping events.
CONFIGURE: Configuration that is needed to refine what events you will collect.
GATHER: Tools/Utilities that you can use locally on the system to set or gather log related information – AuditPol,
WEvtUtil, Find, etc.
HARVEST: Events that you would want to harvest into some centralized Event log management solution like syslog, SIEM,
Splunk, etc.
RESOURCES: Places to get more information
MalwareArchaeology.com/cheat-sheets for more Windows cheat sheets
Log-MD.com – The Log Malicious Discovery tool reads security related log events and settings. Use Log-MD to audit
your log settings compared to the “Windows Logging Cheat Sheet” and Center for Internet Security (CIS) Benchmarks.
It is a standalone tool to help those with and without a log management solution find malicious activity.
www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx - Better descriptions of Event OD’s
www.EventID.Net – Most of the Event ID’s
IIS Error Codes - http://support.microsoft.com/kb/318380 - IIS Error Codes
http://cryptome.org/2014/01/nsa-windows-event.pdf - Good Article
http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx – MS Adv Security Audit Policy Descriptions
Google! – But of course
This “Windows Logging Cheat Sheet” is intended to help you get started setting up
basic and necessary Windows Audit Policy and Logging. By no means is this list
extensive; but it does include some very common items that should be enabled,
configured, gathered and harvested for any Log Management Program. Start with
these settings and add to it as you understand better what is in your logs and what
you need.
2. Jan 2016 ver 2.0 MalwareArchaeology.com Page 2 of 6
WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012
Windows Audit Policy settings may be set by the Local Security Policy, Group Policy (preferred) or by
command line using ‘AuditPol.exe’. Be sure to select “Configure the following audit events” box on items
that say “No Audit” or the policy will not apply. Any that are left blank will break the GPO and auditing will
not be applied.
CONFIGURE::
1. SYSTEM AUDIT POLICIES: In order to capture what you
want and need the following Advanced Audit Policies
must be set. You may expand these to your specific
needs, but here is a place to start.
List out the System audit policy
Command: AuditPol /get /category:*
Category/Subcategory Setting
------------------------------- ------------------------
Account Logon
Credential Validation Success and Failure
Kerberos Authentication Service No Auditing
Kerberos Service Ticket Oper No Auditing
Other Account Logon Events Success and Failure
Account Management
Application Group Management Success and Failure
Computer Account Management Success and Failure
Distribution Group Management Success and Failure
Other Acct Management Events Success and Failure
Security Group Management Success and Failure
User Account Management Success and Failure
Detailed Tracking
DPAPI Activity No Auditing
Process Creation Success and Failure
Process Termination Success and Failure
RPC Events Success and Failure
DS Access
Detailed Directory Service Repl No Auditing
Directory Service Access No Auditing
Directory Service Changes Success and Failure
Directory Service Replication No Auditing
Logon/Logoff
Account Lockout Success
IPsec Extended Mode No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
Logoff Success
Logon Success and Failure
Network Policy Server Success and Failure
Other Logon/Logoff Events Success and Failure
Special Logon Success and Failure
User / Device Claims (8/2012) No Auditing
CONFIGURE::
SYSTEM AUDIT POLICIES: Continued
To set an item:
Auditpol /set /category:"Account Management"
/success:enable /failure:enable
Category/Subcategory Setting
------------------------------- ------------------------
Object Access
Application Generated Success and Failure
Certification Services Success and Failure
Central Policy Staging (8/2012) No Auditing
Detailed File Share Success
File Share Success and Failure
File System Success
Filtering Platform Connection Success (Win FW)
Filtering Platform Packet Drop No Auditing
Handle Manipulation No Auditing
Kernel Object Success and Failure
Other Object Access Events No Auditing
Removable Storage (8/2012) Success and Failure
Registry Success
SAM No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
Filtering Platform Policy Change Success (Win FW)
MPSSVC Rule-Level Policy Change No Auditing
Other Policy Change Events No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use Success and Failure
System
IPsec Driver Success
Other System Events Failure
Security State Change Success and Failure
Security System Extension Success and Failure
System Integrity Success and Failure
Global Object Access Auditing – ignore for now
3. Jan 2016 ver 2.0 MalwareArchaeology.com Page 3 of 6
WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012
CONFIGURE::
1. WEvtUtil: Use this utility to configure your log settings
a. WevtUtil gl Security – List settings of the Security Log
b. WevtUtil sl Security /ms:512000000 or /ms: 1024000000 if File & Registry auditing, Windows Firewall and
Process Create are all enabled – Set the Security log size to the number of bytes
c. WevtUtil sl Security /rt:false – Overwrite as needed
2. FILE AUDITING: Configuring auditing of folders and specific files will allow you to catch new file drops in key locations
where commodity and advanced malware often use. To understand what, where and why to audit files and folders,
refer to the “Windows File Auditing Cheat Sheet” for more detailed information.
3. REGISTRY AUDITING: Configuring auditing of registry keys will allow you to catch new keys, values and data in
autorun and other locations where commodity and advanced malware often use. To understand what, where and
why to audit registry keys, refer to the “Windows Registry Auditing Cheat Sheet” for more detailed information.
4. REG.EXE: Use this utility to query what is in a Key or the data within a key or value
a. Query a Key and all values - Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun"
b. Query a Key and all values - Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce"
c. Query a Key and all values - Reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"
d. Query a Key and all values - Reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce"
e. Query a known value of a Key:
Reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v malware
CONFIGURE:
5. Command Line Logging: One of the most important logging items that you can collect is what was executed on the
command line when something executes. Microsoft added this capability into the release of Windows 8.1 and
Windows Server 2012 R2. In Feb 2015 a patch was made available to add this feature to all Windows 7 and Windows
2008 Server with the following patch:
https://support.microsoft.com/en-us/kb/3004375 - KB3004375 Patch to add Command Line Logging
A registry key is required to add the “Process Command Line” entry to every event ID 4688 event. The following is the
key, value and data that must be set to collect this crucial information:
"hklmsoftwaremicrosoftwindowscurrentversionpoliciessystemaudit" – Value =
ProcessCreationIncludeCmdLine_Enabled - REG_DWORD = 1
You can configure it to start collecting with the following command:
reg add "hklmsoftwaremicrosoftwindowscurrentversionpoliciessystemaudit" /v
ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1
4. Jan 2016 ver 2.0 MalwareArchaeology.com Page 4 of 6
WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012
GATHER::
1. AUDITPOL: Use this utility to view your current log settings
a. List all Policies categories: AuditPol /List /Subcategory:*
b. List what is SET: AuditPol /get /category:*
c. List what is SET for a subcategory:
AuditPol /get /category:"Object Access”
2. Reg.exe: Use this utility to query the registry
a. Changes to AppInit_Dlls - reg query "HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows" /v
AppInit_Dlls
b. Changes to Services Keys - reg query "HKLMSystemCurrentControlSetServices"
c. Changes to Machine Run Key - reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRun”
d. Changes to Machine RunOnce Key - reg query "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce”
e. Changes to User Run Key - reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRun”
f. Changes to User RunOnce Key - reg query "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce”
g.
3. SC.exe: Use this utility to query the services (sc /? For help)
a. List all services in any state – sc.exe query state= all (Note: ‘space’ after the = sign)
b. Look for a specific service – sc.exe query state= all | find /I “telnet”
c. After finding the ‘Display_Name’ then look for the ‘Service_Name’ to get the short name
GATHER::
1. WEvtUtil: Use this utility to query your logs
a. WevtUtil qe Security – query the Security Log for events
i. Lots of flags here so read help “WevtUtil -?”
ii. /c:5 = Read 5 events
iii. /rd:true = newest events first
iv. /f:text = format text, also can do XML
b. Success & Failed Logons - WevtUtil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /c:5 /rd:true
/f:text >Parsed%computername%_Logon_Events_Win7.log
c. User Account Change - WevtUtil qe Security /q:"*[System[(EventID=4738)]]" /c:5 /rd:true /f:text
>ParsedR_%computername%_User_Account_Change_Win7.log
d. New Service Installed - WevtUtil qe Security /q:"*[System[(EventID=7045)]]" /c:5 /rd:true /f:text
>ParsedR_%computername%_New_Service_Installed_Win7.log
e. User Account Changes - wevtutil qe Security /q:"*[System[(EventID=4725 or EventID=4722 or EventID=4723 or
EventID=4724 or EventID=4726 or EventID=4767)]]" /c:10 /f:text
2. Filtering Log Results: Use this method to filter lines within the logs
a. Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4657)]]" /c:5
/rd:true /f:text |find /i"Object Name"
b. File or Registry Changed – Find entries with ‘Object Name’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]"
/c:50 /rd:true /f:text |find /i "Object Name"
c. Files – Find new files with ‘Wbem’ - WevtUtil qe Security /q:"*[System[(EventID=4663)]]" /c:50 /rd:true /f:text
|find /i "wbem"
5. Jan 2016 ver 2.0 MalwareArchaeology.com Page 5 of 6
WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012
HARVEST::
1. SERVICES: Found in the SYSTEM log
d. 7045 - Message=A service was installed in the system.
e. 7040 - Message=The start type of the XYZ service was changed from auto start to disabled.
f. 7000 - Message=The XYX service failed to start due to the following error: The service did not respond to the start
or control request in a timely fashion.
g. 7022 - Message=The XYZ service hung on starting.
h. 7024 - Message=The XYZ service terminated with service-specific error %%2414.
i. 7031 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s). The following corrective
action will be taken in 60000 milliseconds: Restart the service.
j. 7034 - Message=The XYZ service terminated unexpectedly. It has done this 1 time(s).
k. 7035 – Service sent a request to Stop or Start
l. 7036 – Service was Started or Stopped
HARVEST::
1. LOG CLEAR: Watch for log clear messages
a. 104 – SYSTEM Log – The Application or System log
was cleared
b. 1102 – SECURITY Log – The audit log was cleared
2. TASKS: Watch for a Process to start and call other
processes
a. 4698 – SECURITY Log – New Task Created
3. DRIVER: Watch for an issue with a driver
a. 40 – Issue with Driver
4. OS VERSION: What OS do machines have
a. 6009 – Lists OS version, Service Pack and processor
type
HARVEST::
1. PROCESSES: Watch for a Process to start and call other
processes
a. 4688 – SECURITY Log – New Process Name, look
for Creator Process ID to link what process
launched what
2. INSTALLER: Watch for the Windows Installer activity
a. 1022 – Windows Installer updated the product
b. 1033 – Windows Installer installed the product
c. 1034 – Windows Installer removed the product
3. WINDOWS UPDATE: Watch for the Windows Update
Agent activity.
a. 18 = Ready, 19 = Installed, 20= Failure
4. WINDOWS TIME: Watch for the Windows Service
synchronization. Make sure your sources are what they
are supposed to be.
a. 35 – Time Service sync status and source
5. APPLICATION ERROR: Watch for application crashes.
a. 1000 – (Application Log) Application Fault
HARVEST::
1. ACCOUNTS: Monitor for attempts to change an account
password
a. 4720 – A user account was created
b. 4724 – An attempt was made to reset an accounts PW
c. 4735 – Local Group changed
d. 4738 – User account password changed
HARVEST::
1. APPLOCKER: Watch for triggers to AppLocker events (8000-
8027)
a. 8004 – Filename not allowed to run
2. SRP: Watch for triggers to Software Restriction Policies
b. 866 – Access to <filename> has been restricted
HARVEST::
1. AUDIT POLICY: Watch for changes to the Audit Policy that
are NOT “SYSTEM”
a. 4719 – System audit policy was changed
6. Jan 2016 ver 2.0 MalwareArchaeology.com Page 6 of 6
WINDOWS LOGGING CHEAT SHEET - Win 7 thru Win 2012
HARVEST::
1. NEW FILE ADDED: Watch for the creation of new files.
Requires File auditing of the directory(s) that you want to
monitor
b. 4663 – Accesses: WriteData (or AddFile)
c. GREAT for CryptoWare & Malware drops
HARVEST::
1. REGISTRY: Watch for the creation or modification of new registry keys and values
a. 4657 – Accesses: WriteData (or AddFile)
i. HKLM, HKCU & HKU – SoftwareMicrosoftWindowsCurrentVersion
1. Run, RunOnce
ii. HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows
1. Watch AppInit_Dlls
iii. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt
1. Watch Connection time of USB Devices
iv. HKLMSystemCurrentControlSetServices
1. Watch for NEW Services
v. HKLMSYSTEMCurrentControlSetEnumUSBSTOR
1. Watch for NEW USB devices
HARVEST::
2. FIREWALL: Windows Filtering Platform - Watch for
Inbound and Outbound connections – Requires
Windows Firewall to be enabled
a. This is the noisiest of all Events. Generating
easily 9,000 - 10,000 events per hour per system
b. Storage is required to utilize this event
c. 5156 – Message=The Windows Filtering
Platform has permitted a connection. Look for:
i. Direction:, Source Address:, Source
Port:, Destination Address: &
Destination Port:
HARVEST::
1. REGISTRY: Monitor certain Keys for Add, Changes and
Deletes. Setting auditing on the Specific keys is
required.
a. 4657 – A Registry value was modified
HARVEST::
1. EMAIL / VPN: Monitor for failed and successful logins
to your VPN and Webmail application. Consider
emailing user if login is from a new IP not in your
exclude list
a. sc_status=401 – Failed OWA login
b. "reason = Invalid password" – Failed VPN login
- Cisco
HARVEST::
1. LOGON TYPE: Monitor for what type of logons occur
a. 4624 - Message=An account was successfully
logged on.
i. Type 2 – Interactive – GUI
ii. Type 3 – Network – Net Use
iii. Type 4 – Batch
iv. Type 5 – Service
v. Type 7 – Unlock
vi. Type 8 – Network Clear Text
vii. Type 9 – New Credentials (RDP Tools)
viii. Type 10 – Remote Interactive (RDP)
ix. Type 11 – Cached Interactive (laptops)
b. 4625 - Message = An account failed to log on.
HARVEST::
1. SYSTEM INTEGRITY: Watch for files with page images with
bad hashes
a. 6281 – Failed – “page hashes of an image file are
not valid”