Jump to content
Nytro

Spotting the Adversary with Windows Event Log Monitoring

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Spotting the Adversary with Windows

Event Log Monitoring

Author: National Security Agency/Central Security Service

Contents
1 Introduction ................................................................................................................ .......................... 1
2 Deployment................................................................................................................... ........................ 1
2.1 Ensuring Integrity of Event Logs ................................................................................................................... 2
2.2 Environment Requirements ...................................................................................................... ................... 3
2.3 Log Aggregation on Windows Server 2008 R2 ............................................................................................. 4
2.4 Configuring Source Computer Policies .......................................................................................... ............... 9
2.5 Disabling Windows Remote Shell ................................................................................................ ............... 15
2.6 Firewall Modification ......................................................................................................... ........................ 15
2.7 Restricting WinRM Access ...................................................................................................... .................... 18
2.8 Disabling WinRM and Windows Collector Service ..................................................................................... 19
3 Hardening Event Collection................................................................................................... .............. 20
3.1 WinRM Authentication Hardening Methods ............................................................................................. 20
3.2 Secure Sockets Layer and WinRM .............................................................................................................. 24
4 Recommended Events to Collect ........................................................................................................ 24
4.1 Application Whitelisting ...................................................................................................... ....................... 25
4.2 Application Crashes ........................................................................................................... ......................... 25
4.3 System or Service Failures .................................................................................................... ...................... 25
4.4 Windows Update Errors ......................................................................................................... .................... 26
4.5 Windows Firewall .............................................................................................................. ......................... 26
4.6 Clearing Event Logs ........................................................................................................... ......................... 26
4.7 Software and Service Installation ............................................................................................. .................. 27
4.8 Account Usage ................................................................................................................. .......................... 27
4.9 Kernel Driver Signing ......................................................................................................... ......................... 28
4.10 Group Policy Errors ........................................................................................................... ......................... 29
4.11 Windows Defender Activities ..................................................................................................................... 29
4.12 Mobile Device Activities ...................................................................................................... ....................... 30
4.13 External Media Detection ...................................................................................................... .................... 31
4.14 Printing Services ............................................................................................................. ............................ 32
4.15 Pass the Hash Detection........................................................................................................ ..................... 32
4.16 Remote Desktop Logon Detection ................................................................................................ ............. 33
5 Event Log Retention ......................................................................................................... ................... 34
6 Final Recommendations........................................................................................................ .............. 35
7 Appendix .................................................................................................................... ......................... 35
7.1 Subscriptions ................................................................................................................. ............................. 35
7.2 Event ID Definitions .......................................................................................................... .......................... 37
7.3 Windows Remote Management Versions.................................................................................................. 38
7.4 WinRM 2.0 Configuration Settings ............................................................................................................. 40
7.5 WinRM Registry Keys and Values ................................................................................................ ............... 43
7.6 Troubleshooting ............................................................................................................... .......................... 44
8 Works Cited ................................................................................................................. ........................ 48

Download:

http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...