Found via cyber-ir.com: This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioral examples of attacker activity. If you are looking to enhance your detection in your core network this is the document!
Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs
This is a paper by María del Carmen Prudente Tixteco, Lidia Prudente Tixteco, Gabriel Sánchez Pérez, Linda Karina Toscano Medina (keywords: indicators of compromise; windows event logs; intrusion detection), for the Eleventh International Conference on Internet Monitoring and Protection.
Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows® operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR.
The relevant pages are available for download from ThinkMind:
https://www.thinkmind.org/download.php?articleid=icimp_2016_2_20_30032
Windows Events log for IR/Forensics, Part 1
At the SANS InfoSec Handlers Diary Blog runs a series Windows Events log for DFIR:
In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .
Here is of the most useful events for Forensics/Incident response:
Read the full post (part 1) here: https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/.
Scan your network for vulnerabilities using Acunetix's Online Network Security Scanner. How to use grep for forensic log parsing and analysis on Windows Server IIS.
Thank you very much! <3 ❤️
Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace – The Human Cloud. In the past I worked at CLDIN (CLouDINfra) and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.
Hello, I have a problem with all events 4624, 4634, 4648, 4672 … all events that are related to connections and disconnections are not registered at all in my event manager, since about 1 year, before everything go well but we! Does somebody have an idea ? when I activate the recordings with GPedit.msc, it works but when I restart my PC, it does not work anymore.