Sysadmins of the North
Share now!

Intrusion Detection with Windows Event ID’s

Found via This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document!

Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs

This is a paper by María del Carmen Prudente Tixteco, Lidia Prudente Tixteco, Gabriel Sánchez Pérez, Linda Karina Toscano Medina (keywords: indicators of compromise; windows event logs; intrusion detection), for the Eleventh International Conference on Internet Monitoring and Protection.

Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows® operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR.

The relevant pages are available for download from ThinkMind:

This may interest you:   Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege

Windows Events log for IR/Forensics, Part 1

At the SANS InfoSec Handlers Diary Blog runs a series Windows Events log for DFIR:

In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .

Here is of the most useful events for Forensics/Incident response:

Read the full post (part 1) here:

Scan your network for vulnerabilities using Acunetix’s Online Network Security Scanner. How to use grep for forensic log parsing and analysis on Windows Server IIS.

About the Author Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, WordPress, websites & optimization. Want to support me and donate? Use this link:

follow me on:

Thank you!

Leave a Comment:

Skip to content vEhsDXo l KYsRdLAj