Windows Logs

To watch out for indicators of compromise or indicators of attack.

Windows

❗ Threat Detection with Windows Event Logs

Demo 1: Successful Brute Force attempts

Tactic: Credential Access Technique: Brute Force

Finding New Local Admin Accounts

Often an attack will include the creation of a new user, followed by permissions being elevated to an admin level. In this video we show you how to use Splunk to find these accounts so that you can take action if needed.

Recurring Malware on Host

Using Anti-Virus logs to detect if malware is recurring on a host after being removed.

Network and Port Scan

Using Splunk with firewall logs to detect hosts that are running network and port scans.

Demo 2: Event clearing

Tactic: Defense Evasion Technique: Indicator Removal on Host

Demo 3: Account manipulation

Tactic: Credential Access Technique: Account Manipulation

Windows EventIDs

Click Here

References

4688 4738 4624 1102

PreviousIncident Response NextWindows Ransomware Detection

Last updated 4 years ago

hashtagWindows

hashtag Demo 1: Successful Brute Force attempts

hashtagFinding New Local Admin Accounts

hashtagRecurring Malware on Host

hashtagNetwork and Port Scan

hashtagDemo 2: Event clearing

hashtag Demo 3: Account manipulation

hashtagWindows EventIDs

hashtag

hashtagReferences

hashtag4688 4738 4624 1102arrow-up-right