auditing   1021

« earlier    

Peeping Through Windows (Logs)
4688 - New Process Name, Creator Process Name
4738 - User Account changed
4624 - User logon

Also the "Sexy Six" event codes from .conf2015
threathunting  eventlogs  splunk  nsa  auditing 
9 days ago by bwiese
Go to HELL, PowersHELL : Powerdown the PowerShell AttacksSecurity Affairs
Event ID 4688 will give us two key information based on which alerts can be created on the SIEM to detect such attacks.

Which process has been created
What Command line parameters/arguments are passed with the process creation (if any)
Who is the parent process (Win10/ Win 16 and later includes name of the parent process under Creator_Porcess_Name field; previous versions of windows include the Process ID of the parent process under Creator_Process_ID)
auditing  reference  cybersecurity  threathunting  eventlogs 
9 days ago by bwiese
How to Determine What Just Ran on Windows Console | Windows Command Line Tools For Developers
For some background, a console window (running as ConHost.exe) opens & is attached to a command-line application when executed. When Windows launches a new process, an event with ID 4688 is generated. This event is disabled by default, and needs to be turned-on through a Group Policy Object setting before it can be tracked.

cmd line auditing: Double-click the “Include command line in process creation events” setting, select the “Enabled” field and hit OK.
windows  auditing  threathunting  eventlogs 
9 days ago by bwiese
Windows Incident Response: HowTo: Track Lateral Movement
On system B, you may find indications of a service being started in the System Event Log (event ID 7035/7036), and on WinXP and 2003 systems, you may find indications of the task being run in the SchedLgU.txt file
dfiri  cybersecurity  windows  auditing 
10 days ago by bwiese
How to Query Audit Logs Using 'ausearch' Tool on CentOS/RHEL
In this tutorial, we will explain how to use ausearch tool to retrieve data from auditd log files on a RHEL and CentOS based Linux distributions.
Linux  Tutorials  audit  auditing  centos  examples  ausearch  files  howto  log  logs  query  rhel  tutorial  redhat 
6 weeks ago by loquitoslack
Nice windows event blacklisting · GitHub

disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
splunk  auditing  eventlogs 
11 weeks ago by bwiese
Controlling 4662 Messages in the Windows Security Event Log
We added a feature to black list and white list on a regular expression. In the case of the Security Windows Event Log, we need something like this:

blacklist1=EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”

The black list is a set of key=regex pairs. The list of keys are things like “EventCode” and “TaskCategory” – i.e. the event log keys, not the Splunk fields. In this case we are going to black list EventCode 4662, but only when the Object Type is not groupPolicyContainer
splunk  auditing  eventlogs 
11 weeks ago by bwiese
Auditing File Access on File Servers – Premier Field Engineering
Recently, I helped a customer achieve two objectives:

Audit access to sensitive content on the file servers and ensure the information is captured
Generate reports on a regular basis that would show WHO did WHAT to WHICH content and WHEN this was done.
windows  auditing  cybersecurity 
12 weeks ago by bwiese
Major Browsers to Prevent Disabling of Click Tracking Privacy Risk
Ping HTML Link
This will render on the page as a normal link to and if you hover over it, will only show you the destination URL. It does not show you the ping back URL of, so users will not even realize this is happening unless they examine the sites source code.
privacy  HTML  auditing 
april 2019 by euler

« earlier    

related tags

2016  2019  2fa  a11y  abc7  accept  accessibility  activedirectory  addin  ai  algorithm  amazon  analysis  answer  api  apis  apt  article  assessment  audit  auditd  auditor  audits  ausearch  authentication  authorization  aws  aws_security  banking  baseline  bb  benfordslaw  best-practice  bestpractices  bias  bigdata  bits  brexit  bsd  build  business  centos  centos7  check  chrome  cis  cisofy  clean  cleanup  cloud  cloudtrail  cluster  code  commandline  communications  compliance  config  configuration  connecteddata  container  content  continuousdelivery  core  coredump  crime  crowdstrike  cryptography  custom  cyber_security  cybersecurity  data  database  dataprotection  dead  debugging  democracy  design  dev  developer  devices  devops  dfiri  digitalmarketing  digitaltransformation  dlt  docker  docs  dopost  download  dumps  eventlogs  events  eventsmarketing  example  examples  excel  exploit  extension  face-recognition  facebook  fact  factcheck  fido  filehandles  files  finance  fine  fireeye  firefox  floss  forensicaccounting  forensics  formulas  framework  fraud  frauddetection  git  github  golang  google  hardening  hardware  history  howto  html  human  ico  iis  imaze  incidentresponse  index  infosec  inquisitor  javascript  journalism  json  knowledgepanel  landingpages  lawenforcement  legacy  link  linux  localbusiness  localseo  log  logging  logo  logs  lynis  macos  malware  management  marketing  metrics  microsoft  money  monitor  monitoring  mssql  munging  network  node.js  nsa  o365  open-source  opensource  openssh  optimise  optimization  osx  pair  password  passwords  patterns  pentesting  performance  plugin  policy  powershell  precedents  privacy  product  products  proxy  qa  query  recording  redhat  reference  regulation  releasemanagement  remote  retail  review  reviews  rhel  risk_management  riskmanagement  rules  rust  safety  scanning  scom  script  search  searchengine  searchengineoptimization  searchengines  security  sem  seo  serp  serps  service  shell  sigma  socialmedia  software  speed  splunk  ssh  stats  stig  structureddata  sudo  sudo_pair  sysadmin  sysctl  sysmon  system-hardening  systemtap  techsupport  temporaltable  terminal  testing  threathunting  time  tips  tombstone  tool  tools  tracking  tricks  tutorial  tutorials  two  type:tool  u2f  unix  usb  utilities  vault  vba  verification  versioning  visibility  w3c  web  webapps  webdesign  webdev  webdevel  webinar  website  websites  windows  wmi 

Copy this bookmark: