Windows forensics: have I been hacked?

Main question is: How do I know if I have been hacked? Hacking mind map: https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/ Detecting lateral movement using event logs: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow http://blog.crowdstrike.com/sysmon-2/ http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html additional resources on this blog: http://wp.me/p15Zft-od and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links The first step is to scan your computer with a RootkitContinue reading “Windows forensics: have I been hacked?”

Windows forensic: Sysmon

Download sysmon: NEW: Sysmon 10.42 is available ! : https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon and how to use it: WMI detections: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-persistence/ MITRE framework – sysmon coverage: https://attack.mitre.org/ Installation and usage: https://github.com/olafhartong/sysmon-modular https://github.com/ion-storm/sysmon-config https://github.com/SwiftOnSecurity/sysmon-config List of web resources concerning Sysmon: https://github.com/MHaggis/sysmon-dfir Motiba: https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/ Sysmon events table: https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-events-table/ Mark russinovitch’s RSA conference: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow Sysmon config files explained: https://www.bsk-consulting.de/2015/02/04/sysmon-example-config-xml/ Hide sysmon fromContinue reading “Windows forensic: Sysmon”

Detecting hackers (or intrusions) using Windows event log monitoring

The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication andContinue reading “Detecting hackers (or intrusions) using Windows event log monitoring”