Quality not Quantity: Continuous Monitoring's Deadliest Events
Commands:
Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}
User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}
Full command line of all processes (requires https://support.microsoft.com/en-us/kb/3004375):
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}
AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}
Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}
References:
- Mandiant M-Trends 2016: https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
- Verizon DBIR: http://www.verizonenterprise.com/DBIR/2015/
- USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA
- Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
- The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
- Patch-crazy Aust Govt fought off EVERY hacker since 2013 http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/
- CIS Critical Security Controls: https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015
- AppLocker: https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx
- AppLocker CSP: https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx
- Windows 10 Enterprise 90-day Trial: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
- Microsoft EMET: https://support.microsoft.com/en-us/kb/2458544
- Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375
- Windows Commands Abused by Attackers http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html