Windows Logs
To watch out for indicators of compromise or indicators of attack.
Windows
❗ Threat Detection with Windows Event Logs
Demo 1: Successful Brute Force attempts
Tactic
: Credential Access
Technique
: Brute Force
Finding New Local Admin Accounts
Often an attack will include the creation of a new user, followed by permissions being elevated to an admin level. In this video we show you how to use Splunk to find these accounts so that you can take action if needed.
Recurring Malware on Host
Using Anti-Virus logs to detect if malware is recurring on a host after being removed.
Network and Port Scan
Using Splunk with firewall logs to detect hosts that are running network and port scans.
Demo 2: Event clearing
Tactic
: Defense Evasion
Technique
: Indicator Removal on Host
Demo 3: Account manipulation
Tactic
: Credential Access
Technique
: Account Manipulation
Windows EventIDs
References
Last updated