Spotting the Adversary with Windows Event Log Monitoring
Spotting the Adversary with Windows Event Log Monitoring
Spotting the Adversary with Windows Event Log Monitoring
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Whitelisting<strong>Log</strong>s<br />
SourceInitiated<br />
AppLocker and SRP <strong>Log</strong>s. Targets: <strong>Windows</strong> XP+<br />
true<br />
http://schemas.microsoft.com/wbem/wsman/1/windows/<strong>Event</strong><strong>Log</strong><br />
Custom<br />
11000<br />
<br />
<br />
<br />
<br />
*[System[Provider[@Name='Microsoft-<strong>Windows</strong>-AppLocker'] and (Level=2 or Level=3) and (<strong>Event</strong>ID=8003 or<br />
<strong>Event</strong>ID=8004 or <strong>Event</strong>ID=8006 or <strong>Event</strong>ID=8007)]]<br />
<br />
<br />
*[System[Level=3 and <strong>Event</strong>ID=865]]<br />
<br />
]]><br />
true<br />
httpRenderedText<br />
Forwarded<strong>Event</strong>s<br />
<br />
<br />
<br />
<strong>Windows</strong> Update Errors (WinUpdateErr.xml)<br />
<br />
WinUpdateErr<br />
SourceInitiated<br />
<strong>Windows</strong> Update Errors<br />
true<br />
http://schemas.microsoft.com/wbem/wsman/1/windows/<strong>Event</strong><strong>Log</strong><br />
Custom<br />
<br />
11000<br />
<br />
<br />
<br />
<br />
*[System[(Level=2 or Level=3)]]<br />
*[System[Provider[@Name='Microsoft-<strong>Windows</strong>-Servicing'] and (<strong>Event</strong>ID=1009)]]<br />
*[System[(<strong>Event</strong>ID=29)]]<br />
<br />
]]><br />
true<br />
http<strong>Event</strong>s<br />
Forwarded<strong>Event</strong>s<br />
<br />
<br />
<br />
<strong>Windows</strong> Firewall <strong>with</strong> Advanced Security (WinFAS.xml)<br />
<br />
WinFAS<br />
SourceInitiated<br />
<strong>Windows</strong> Firewall and <strong>Windows</strong> Firewall <strong>with</strong> Advanced Security <strong>Log</strong>s<br />
true<br />
http://schemas.microsoft.com/wbem/wsman/1/windows/<strong>Event</strong><strong>Log</strong><br />
Custom<br />
<br />
11000<br />
<br />
<br />
<br />
<br />
*[System[(Level=2 or Level=4 or Level=0) and<br />
(<strong>Event</strong>ID=2009 or <strong>Event</strong>ID=2033 or <strong>Event</strong>ID=2004 or <strong>Event</strong>ID=2005)]]<br />
<br />
]]><br />
true<br />
http<strong>Event</strong>s<br />
Forwarded<strong>Event</strong>s<br />
<br />
<br />
<br />
<strong>Log</strong> Deletion (<strong>Log</strong>Del.xml)<br />
45