formatting

enumeration/windows/event_log.md

@@ -1,10 +1,12 @@
 # Logging
+
 * [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
 * [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
 * [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
 * [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
 
 ## Loglevel
+
 |ID|Event Type|Description|
 |--|----------|-----------|
 |0|Error|An event that indicates a significant problem.|
@@ -14,6 +16,7 @@
 |4|Failure Audit|An event that records an audited security access attempt that is failure.|
 
 ## Logrotation
+
 ```sh
 C:\Windows\System32\winevt\Logs
 ```
@@ -27,6 +30,7 @@ C:\Windows\System32\winevt\Logs
 * Get-WinEvent (PowerShell cmdlet)
 
 ### wevtutil.exe
+
 ```sh
 wevtutil.exe /?
 ```
@@ -40,6 +44,7 @@ wevtutil qe Application /c:3 /rd:true /f:text
 ```
 
 ### Get-WinEvent
+
 * [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
 * List all the logs
 ```sh
@@ -82,6 +87,7 @@ Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventDa
 ```
 
 ### Command Line Logging
+
 * Enable PS Logging
 ```sh
 Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell

enumeration/windows/sysmon.md

@@ -1,22 +1,27 @@
 # Sysmon
+
 Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events. 
 
 ## Paths
+
 * Logfiles
 ```
 Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
 ```
 
 ## Configuration
+
 * [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
 * [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
 
 ## Installation
+
 ```sh
 Downloads-SysInternalsTools C:\Sysinternals
 ```
 
 ## Best Practices
+
 * Exclude, not include events
 * CLI gives further control over filters
 ```sh
@@ -28,9 +33,11 @@ wevutil.exe
 * Know the env before implementation
 
 ## Filtering Events
+
 * Actions -> Filter Current Log
 
 ### Filtering Events with Powershell
+
 * Logged Events containing port 4444
 ```sh
 Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
@@ -45,6 +52,7 @@ Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventDat
 ```
 
 ## Evasion Techniques
+
 * Alternate Data Streams
 * Injections
 * Masquerading
@@ -55,6 +63,7 @@ Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventDat
 * Remote Thread (OpenThread, ResumeThread)
 
 ### Detecting Evasion Techniques with Powershell
+
 ```sh
 Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
 Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'