Windows forensics: have I been hacked?

Main question is: How do I know if I have been hacked? Hacking mind map: Detecting lateral movement using event logs: Sysmon 6:  and how to use it:!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow additional resources on this blog: and some other links:, The first step is to scan your computer with a RootkitContinue reading “Windows forensics: have I been hacked?”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 10.42 is available ! : and how to use it: WMI detections: MITRE framework – sysmon coverage: Installation and usage: List of web resources concerning Sysmon: Motiba: Sysmon events table: Mark russinovitch’s RSA conference:!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow Sysmon config files explained: Hide sysmon fromContinue reading “Windows forensic: Sysmon”

Detecting hackers (or intrusions) using Windows event log monitoring

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication andContinue reading “Detecting hackers (or intrusions) using Windows event log monitoring”