Spotting the Adversary with Windows Event Log Monitoring
29.04.2014 Views
Share Embed Flag

Spotting the Adversary with Windows Event Log Monitoring

Spotting the Adversary with Windows Event Log Monitoring

Spotting the Adversary with Windows Event Log Monitoring

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
nsa.gov

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Whitelisting<strong>Log</strong>s<br />

SourceInitiated<br />

AppLocker and SRP <strong>Log</strong>s. Targets: <strong>Windows</strong> XP+<br />

true<br />

http://schemas.microsoft.com/wbem/wsman/1/windows/<strong>Event</strong><strong>Log</strong><br />

Custom<br />

11000<br />

<br />

<br />

<br />

<br />

*[System[Provider[@Name='Microsoft-<strong>Windows</strong>-AppLocker'] and (Level=2 or Level=3) and (<strong>Event</strong>ID=8003 or<br />

<strong>Event</strong>ID=8004 or <strong>Event</strong>ID=8006 or <strong>Event</strong>ID=8007)]]<br />

<br />

<br />

*[System[Level=3 and <strong>Event</strong>ID=865]]<br />

<br />

]]><br />

true<br />

httpRenderedText<br />

Forwarded<strong>Event</strong>s<br />

<br />

<br />

<br />

<strong>Windows</strong> Update Errors (WinUpdateErr.xml)<br />

<br />

WinUpdateErr<br />

SourceInitiated<br />

<strong>Windows</strong> Update Errors<br />

true<br />

http://schemas.microsoft.com/wbem/wsman/1/windows/<strong>Event</strong><strong>Log</strong><br />

Custom<br />

<br />

11000<br />

<br />

<br />

<br />

<br />

*[System[(Level=2 or Level=3)]]<br />

*[System[Provider[@Name='Microsoft-<strong>Windows</strong>-Servicing'] and (<strong>Event</strong>ID=1009)]]<br />

*[System[(<strong>Event</strong>ID=29)]]<br />

<br />

]]><br />

true<br />

http<strong>Event</strong>s<br />

Forwarded<strong>Event</strong>s<br />

<br />

<br />

<br />

<strong>Windows</strong> Firewall <strong>with</strong> Advanced Security (WinFAS.xml)<br />

<br />

WinFAS<br />

SourceInitiated<br />

<strong>Windows</strong> Firewall and <strong>Windows</strong> Firewall <strong>with</strong> Advanced Security <strong>Log</strong>s<br />

true<br />

http://schemas.microsoft.com/wbem/wsman/1/windows/<strong>Event</strong><strong>Log</strong><br />

Custom<br />

<br />

11000<br />

<br />

<br />

<br />

<br />

*[System[(Level=2 or Level=4 or Level=0) and<br />

(<strong>Event</strong>ID=2009 or <strong>Event</strong>ID=2033 or <strong>Event</strong>ID=2004 or <strong>Event</strong>ID=2005)]]<br />

<br />

]]><br />

true<br />

http<strong>Event</strong>s<br />

Forwarded<strong>Event</strong>s<br />

<br />

<br />

<br />

<strong>Log</strong> Deletion (<strong>Log</strong>Del.xml)<br />

45

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!