formatting
This commit is contained in:
parent
26fff11d27
commit
def5079664
|
|
@ -1,10 +1,12 @@
|
||||||
# Logging
|
# Logging
|
||||||
|
|
||||||
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
|
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
|
||||||
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
|
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
|
||||||
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
|
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
|
||||||
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
|
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
|
||||||
|
|
||||||
## Loglevel
|
## Loglevel
|
||||||
|
|
||||||
|ID|Event Type|Description|
|
|ID|Event Type|Description|
|
||||||
|--|----------|-----------|
|
|--|----------|-----------|
|
||||||
|0|Error|An event that indicates a significant problem.|
|
|0|Error|An event that indicates a significant problem.|
|
||||||
|
|
@ -14,6 +16,7 @@
|
||||||
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
|
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
|
||||||
|
|
||||||
## Logrotation
|
## Logrotation
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
C:\Windows\System32\winevt\Logs
|
C:\Windows\System32\winevt\Logs
|
||||||
```
|
```
|
||||||
|
|
@ -27,6 +30,7 @@ C:\Windows\System32\winevt\Logs
|
||||||
* Get-WinEvent (PowerShell cmdlet)
|
* Get-WinEvent (PowerShell cmdlet)
|
||||||
|
|
||||||
### wevtutil.exe
|
### wevtutil.exe
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
wevtutil.exe /?
|
wevtutil.exe /?
|
||||||
```
|
```
|
||||||
|
|
@ -40,6 +44,7 @@ wevtutil qe Application /c:3 /rd:true /f:text
|
||||||
```
|
```
|
||||||
|
|
||||||
### Get-WinEvent
|
### Get-WinEvent
|
||||||
|
|
||||||
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
|
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
|
||||||
* List all the logs
|
* List all the logs
|
||||||
```sh
|
```sh
|
||||||
|
|
@ -82,6 +87,7 @@ Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventDa
|
||||||
```
|
```
|
||||||
|
|
||||||
### Command Line Logging
|
### Command Line Logging
|
||||||
|
|
||||||
* Enable PS Logging
|
* Enable PS Logging
|
||||||
```sh
|
```sh
|
||||||
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
|
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
|
||||||
|
|
|
||||||
|
|
@ -1,22 +1,27 @@
|
||||||
# Sysmon
|
# Sysmon
|
||||||
|
|
||||||
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
|
Sysmon gathers detailed and high-quality logs as well as event tracing that assists in identifying anomalies in your environment. Sysmon is most commonly used in conjunction with security information and event management (SIEM) system or other log parsing solutions that aggregate, filter, and visualize events.
|
||||||
|
|
||||||
## Paths
|
## Paths
|
||||||
|
|
||||||
* Logfiles
|
* Logfiles
|
||||||
```
|
```
|
||||||
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
|
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational
|
||||||
```
|
```
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
|
* [SwiftOnSecurity](https://github.com/SwiftOnSecurity/sysmon-config)
|
||||||
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
|
* [ION-Storm](https://github.com/ion-storm/sysmon-config/blob/develop/sysmonconfig-export.xml)
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
Downloads-SysInternalsTools C:\Sysinternals
|
Downloads-SysInternalsTools C:\Sysinternals
|
||||||
```
|
```
|
||||||
|
|
||||||
## Best Practices
|
## Best Practices
|
||||||
|
|
||||||
* Exclude, not include events
|
* Exclude, not include events
|
||||||
* CLI gives further control over filters
|
* CLI gives further control over filters
|
||||||
```sh
|
```sh
|
||||||
|
|
@ -28,9 +33,11 @@ wevutil.exe
|
||||||
* Know the env before implementation
|
* Know the env before implementation
|
||||||
|
|
||||||
## Filtering Events
|
## Filtering Events
|
||||||
|
|
||||||
* Actions -> Filter Current Log
|
* Actions -> Filter Current Log
|
||||||
|
|
||||||
### Filtering Events with Powershell
|
### Filtering Events with Powershell
|
||||||
|
|
||||||
* Logged Events containing port 4444
|
* Logged Events containing port 4444
|
||||||
```sh
|
```sh
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'
|
||||||
|
|
@ -45,6 +52,7 @@ Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventDat
|
||||||
```
|
```
|
||||||
|
|
||||||
## Evasion Techniques
|
## Evasion Techniques
|
||||||
|
|
||||||
* Alternate Data Streams
|
* Alternate Data Streams
|
||||||
* Injections
|
* Injections
|
||||||
* Masquerading
|
* Masquerading
|
||||||
|
|
@ -55,6 +63,7 @@ Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventDat
|
||||||
* Remote Thread (OpenThread, ResumeThread)
|
* Remote Thread (OpenThread, ResumeThread)
|
||||||
|
|
||||||
### Detecting Evasion Techniques with Powershell
|
### Detecting Evasion Techniques with Powershell
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=15'
|
||||||
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
|
Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=8'
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue