Focus2Learn
  • Way2Learn
  • OSI Model
    • Intro
    • OSI Model Layers - Functions and Protocols
    • TCP/IP Protocol Suite
    • Layers Functionalities
    • TCP and UDP ports
    • Network Connecting Devices
    • Network Security Devices
    • Network Vulnerability
    • Kerbros
  • Architectures
    • Qradar
    • Splunk ES
    • SOC Analyst Work Culture
    • Playbooks
  • Information Security
    • AAA
    • CIA Traid
    • Cyber Attacks
    • Cyber Kill Chain
    • Threat - Vulnerability - Exploit - Risk
    • MITRE ATT&CK Framework
    • Spoofing Attacks
  • Log Analysis
    • SSL
    • Splunk Queries
    • Log Aggregation, Processing and Analysis for Security
    • Firewall Logging
    • Proxy Server
    • DNS Server
    • Email Analysis
    • Network Data Analysis
    • Web Application Security
    • Threat Hunting with Microsoft O365 Logs
    • Darktrace
    • EDR
    • Random Topics
    • Incident Response
    • Windows Logs
    • Windows Ransomware Detection
    • Ref Diagrams
  • External Sites
    • Fav Links
    • Cyber-Kill-Chain_YouTube_Link
    • OWASP TOP 10 - 2017
    • Splunk UseCases
    • CCNA Course
    • Switch
    • Port Numbers
    • Windows Event IDs
    • Splunk-Oxygen
    • Privilege Escalation Attack
    • Threat Hunting with Splunk
  • PDF Files
    • Imp PDF Files
  • Online Reputation Checking Tool
  • AWS Cloud Security
    • AWS GuardDuty
  • Security Controls
  • CrowdStrike
    • Falcon Queries
    • User Sessions Hunting
    • Day to Day
    • Hunting Falcon
  • DarkTrace
    • Ref Links
  • Web Application Security
    • Links
Powered by GitBook
On this page
  • Windows
  • Demo 1: Successful Brute Force attempts
  • Finding New Local Admin Accounts
  • Recurring Malware on Host
  • Network and Port Scan
  • Demo 2: Event clearing
  • Demo 3: Account manipulation
  • Windows EventIDs
  • References

Was this helpful?

  1. Log Analysis

Windows Logs

To watch out for indicators of compromise or indicators of attack.

PreviousIncident ResponseNextWindows Ransomware Detection

Last updated 4 years ago

Was this helpful?

Windows

Threat Detection with Windows Event Logs

Demo 1: Successful Brute Force attempts

Tactic: Credential Access Technique: Brute Force

Finding New Local Admin Accounts

Often an attack will include the creation of a new user, followed by permissions being elevated to an admin level. In this video we show you how to use Splunk to find these accounts so that you can take action if needed.

Recurring Malware on Host

Using Anti-Virus logs to detect if malware is recurring on a host after being removed.

Network and Port Scan

Using Splunk with firewall logs to detect hosts that are running network and port scans.

Demo 2: Event clearing

Tactic: Defense Evasion Technique: Indicator Removal on Host

Demo 3: Account manipulation

Tactic: Credential Access Technique: Account Manipulation

Windows EventIDs

References

Click Here
4688 4738 4624 1102
❗
522KB
Windows Splunk Logging.pdf
pdf
Windows Logs Explanation
Searching for Successful Brute Force Attempts
Network and Port Scan
Searching for Log Removal
Searching for Account Manipulation