Windows Logs

To watch out for indicators of compromise or indicators of attack.

Windows

❗ Threat Detection with Windows Event Logs

Demo 1: Successful Brute Force attempts

Tactic: Credential Access Technique: Brute Force

Searching for Successful Brute Force Attempts

Finding New Local Admin Accounts

Often an attack will include the creation of a new user, followed by permissions being elevated to an admin level. In this video we show you how to use Splunk to find these accounts so that you can take action if needed.

Recurring Malware on Host

Using Anti-Virus logs to detect if malware is recurring on a host after being removed.

Network and Port Scan

Using Splunk with firewall logs to detect hosts that are running network and port scans.

Network and Port Scan

Demo 2: Event clearing

Tactic: Defense Evasion Technique: Indicator Removal on Host

Searching for Log Removal

Demo 3: Account manipulation

Tactic: Credential Access Technique: Account Manipulation

Searching for Account Manipulation

Windows EventIDs

Click Here

References

4688 4738 4624 1102

522KB

Windows Splunk Logging.pdf

pdf

Windows Logs Explanation