Friday, April 01, 2016

Quality not Quantity talk, commands, and links

Quality not Quantity: Continuous Monitoring's  Deadliest Events


Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}

User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}

Full command line of all processes (requires
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}

Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}


  1. Mandiant M-Trends 2016:
  2. Verizon DBIR:
  3. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers
  4. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data:
  5. The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions:
  6. Patch-crazy Aust Govt fought off EVERY hacker since 2013
  7. CIS Critical Security Controls:
  8. AppLocker:
  9. AppLocker CSP:
  10. Windows 10 Enterprise 90-day Trial:
  11. Microsoft EMET:
  12. Enable Windows command-line auditing: 
  13. Windows Commands Abused by Attackers