Spotting the Adversary with Windows Event Log Monitoring

More documents

Recommendations

Info

MSI Packages Installed (MsiPackages.xml) MsiPackages SourceInitiated MSI Packages Installed. Targets: Windows XP+ true http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog Custom 11000 *[System[Provider[@Name='MsiInstaller'] and (Level=4 or Level=0) and (EventID=1022 or EventID=1033 or EventID=11707 or EventID=11728)]] *[System[Provider[@Name='NtServicePack'] and (EventID=4377)]] *[System[Provider[@Name='FilterManager'] and (EventID=6)]] *[System[Provider[@Name='Windows Update Agent'] and (EventID=19)]] ]]> true httpRenderedText ForwardedEvents Windows Service Manager Errors (Service.xml) NTService SourceInitiated Windows Service Manager Errors true http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog Custom 11000 *[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=7022 or EventID=7023 or EventID=7024 or EventID=7026 or EventID=7031 or EventID=7034 or EventID=7032 or EventID=7045)]] ]]> true httpEvents ForwardedEvents System Log Errors (SysLogs.xml) SysLogs SourceInitiated Windows System Logs true http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog Custom 11000 *[System[(Level=2 or Level=3 or Level=4 or Level=0) and (EventID=10016 or EventID=11 or EventID=104 or EventID=6 or EventID=1127 or EventID=1125 or EventID=40964 or EventID=40968)]] ]]> true httpEvents ForwardedEvents 43
User Account Added to Privileged Group (UserToPriv.xml) UserToPriv SourceInitiated User Account Added to Privileged Group events. Targets: Windows XP+ true http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog Custom 1 1000 *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4728 or EventID=4732 or EventID=4756)]] *[System[Provider[@Name='Security'] and (EventID=632 or EventID=636 or EventID=660)]] ]]> true httpEvents ForwardedEvents Windows File Protection Errors (WFP.xml) WFP SourceInitiated Windows File Protection Errors. Targets: Windows Vista+ true http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog Custom 1 1000 *[System[(Level=2 or Level=4 or Level=0)]] *[System[(Level=2 or Level=4 or Level=0)]] ]]> true httpEvents ForwardedEvents Applocker and Software Restriction Policies Blocks (WhitelistingLogs.xml) 44
Page 1 and 2: National Security Agency/Central Se
Page 3 and 4: List of Figures Figure 1: Creating
Page 5 and 6: Disclaimer This Guide is provided "
Page 7 and 8: Initiated (pull) or Source-Initiate
Page 9 and 10: updates. A batch script is provided
Page 11 and 12: The compatibility listener binds Wi
Page 13 and 14: The Event Delivery Optimization opt
Page 15 and 16: The logging of cryptographic activi
Page 17 and 18: The WinRM service can be found by n
Page 19 and 20: Figure 10: Enable SubscriptionManag
Page 21 and 22: 3. Select Browse… and enter NETWO
Page 23 and 24: Figure 12: GPO Inbound Firewall Rul
Page 25 and 26: 3. In the Show Contents windows, en
Page 27 and 28: 1. Open Services MMC snap-in 2. Rig
Page 29 and 30: 3.1.1 Basic Authentication The clie
Page 31 and 32: Accessing each source to manually c
Page 33 and 34: To configure a WinRM service to run
Page 35 and 36: Windows 7 Windows Service Fails or
Page 37 and 38: ID Level Event Log Event Source Eve
Page 39 and 40: Detected an invalid image hash of a
Page 41 and 42: The XPath queries below are used fo
Page 43 and 44: Controllers group. This subscriptio
Page 45 and 46: The Enabled registry value should h
Page 47: Windows Kernel Driver Errors (Kerne
Page 51 and 52: LogDel SourceInitiated Windows Fire
Page 53 and 54: XP_SysLogsErr SourceInitiated Windo
Page 55 and 56: Microsoft’s Events and Errors Mes
Page 57 and 58: WinRM Version (KB#) Supported OS KB
Page 59 and 60: Parameters MaxEnvelopeSizekb MaxTim
Page 61 and 62: EnableCompatibilityHttpsListener Se
Page 63 and 64: @ECHO OFF SETLOCAL SETLOCAL ENABLED
Page 65 and 66: O: Owner_SID G: Group_SID D: DACL_F
Page 67 and 68: Generally, WinRM produces an error
Page 69 and 70: Failed to open subscription. Error
Page 71 and 72: When a WinRM connection arrives on

Spotting the Adversary with Windows Event Log Monitoring

Create successful ePaper yourself

Delete template?

Save as template?