Windows Registry Auditing Cheat Sheet updated for Aug 2019 v2.5

The Windows Registry Auditing Cheat Sheet has been updated to include a few new items to monitor for malicious activity. Keep in mind when applying to the users space, that the current user (HKCU) is the one logged in. Any other users you want to set Registry auditing on you must do so under HKU/GUID, so you must know their user GUID or use a script that crawls all the GUID and applies the settings.

You can get the new Cheat Sheet HERE:

Training at BSides OK April 10th-11th 2018

Malware Discovery and Basic Analysis

When: April 10th-11th 2018

Where: BSides OK (Just southwest of Tulsa)

Course Description:

Malware Discovery and Malware Analysis is an essential skill for today’s Information Security, Security Operations Center (SOC), and IT professionals. This course is perfect for people wanting to improve and get faster at Incident Response.

This course focuses on performing fast triage and how to discover if a system has malware, how to build a malware analysis lab and perform basic malware analysis quickly. The goal and objective to apply the results to Malware Management with actionable information to improve your Information Security program. Tools and techniques used and steps to analyze malware to determine if a system is clean or truly infected will be covered. The concept of Malware Management, Malware Discovery and Basic Malware Analysis will be discussed with exercises linking the three concepts together.

Training in Houston April 9th, 2018

MITRE ATT&CK, What is it, how to use and apply it to your organization

When: April 9th, 2018 (1-Day)

Where: HouSecCon Marriott Marquis Houston

Course Description:

Mitre has created the “Adversarial Tactics, Techniques & Common Knowledge” (ATT&CK) to help security practitioners understand the actual techniques and tactics that adversaries use against us. The advantage of ATT&CK is it allows us to build a framework to understand how we might detect, respond, and prevent many of the tactics. Creating your own ATT&CK framework provides for a way for us to map what technologies, procedures, playbooks, reports/queries, and alerts we have, and then map any gaps that we have that then can be addressed.

Windows Incident Response and Logging Training - Houston Weds Mar 22nd

As a part of HouSeCon at the Derek hotel we are putting on a 1 Day 'Windows Incident Response and Logging' course to help attendees get up to speed on basic IR concepts and to answer 5 questions about Windows logging and auditing;

  1. Why is Windows audit logging so important
  2. How do you check a Windows system for proper audit logging?
  3. Where do you get the information on what to set for proper audit logging
  4. How do you set the proper things for proper audit logging
  5. What tools can be used to view the audit logs

You can sign up here for the training:

And sign up for the conference on Thursday here:

Malware Discovery and Windows Incident Response & Logging Training - Austin Dec 12-14

Malware Archaeology in conjunction with Capitol of Texas ISSA chapter is hosting a Malware Discovery and Basic Analysis 2 day class and Windows Incident Response and Logging 1 day class at the Wingate in Round Rock.

Looking to up your malwarez hunting skillz and learn some basics about Windows Incident Response and become a Windows logging guru, come to this class and learn how the blue teamers do it and catch the bad guys.

More info on the Austin ISSA website and register here:

Malware Discovery Training coming to Oklahoma City July 18-20

Oklahoma City - Malware Discovery and Basic Malware Analysis

George Epperly Business Building - Rose State College - 6420 Southeast 15th Street, Midwest City, OK 73110

  • July 18th-19th 2016 - Sponsored by the ISSA OKC chapter

Oklahoma City - Windows Incident Response and Logging

More information and register here:

Great shout out from Paul and John on the Security Weekly Enterprise Podcast Episode 5

Paul Asadoorian and John Strand discussing Log Management and SIEM mention the Cheat Sheets to help you know what to set and look for in your Windows logs.  Thanks gents, I guess it is time to come on the PodCast and let you know what we are up to.

It is important to point out that you cannot start to gain the benefit of your Log Management solution or SIEM until you enable and configure your Windows log setting per the Cheat Sheets found here:

#Happy Hunting

More Malware Analysis Reports added

A couple more reports have been added to help you with Malware Management.  Malware Management can help you understand and know WHERE to look and WHAT to look for when it comes to a possibly infected system.  You can read about  Malware Management here:

You can find the updated Malware Analysis reports here:

Also updated was the "Windows Splunk Logging Cheat Sheet" to expand on the Windows commands abused by hackers.  You can get the Cheat Sheets here:

And you can read a blog entry about Windows commands abused by hackers over at

New for 2016, 2 new Cheat Sheets and an update

Happy New Year everyone!

We have added two new cheat sheets and an update to the "Windows Logging Cheat Sheet" to kick off the new year!


To continue our efforts in providing the community with information that can help people improve their logging capabilities, thus improving their overall security posture, we have released these two new cheat sheets focused on getting people started with file and registry auditing.

Why do file and registry auditing?  Because there are common locations you can audit that will catch the bulk of commodity malware and many advanced malware artifacts.  By configuring strategic auditing on key file directories and autorun registry locations, you can catch file drops as they happen and registry keys used to launch the malware.

Take the Dec 2015 Dridex malware variant where the malware created a file and registry entry when the system shutdown or was rebooted.  How would you detect this type of infection when the malware is only in memory while the system is running?  File auditing on the %AppData% or AppData\Roaming directory would catch the malware being written back to disk and the launching command in the HKCU Run key on reboot or shutdown and again being deleted on startup.  You do not have to audit the entire disk or registry to do effective auditing, just key places that are known to be used in commodity and more advanced malware.  Practice Malware Management to improve and expand your auditing rules.

Read more on the Dec Dridex malware on Michael's HackerHurricane blog here:

Read more on Malware Management here:

Auditing does not have to eat up your log management license because well tuned auditing adds very little to the logs.  Event ID's 4663 (file) and 4657 (registry) are what will be added to the logs when auditing is used.  Of course, tweak your auditing rules to only collect what you need and remove unnecessary locations.  You should increase your local maximum Security log size to 1GB in order to collect enough events before the logs rotate, shooting for roughly 7 days of logs or more to be stored locally.

To refine your file and registry logging, use LOG-MD to evaluate what is being collected and tweak the auditing to reduce noisy folders, files and keys and collect only what is important to monitor security wise.  LOG-MD may be fond here:

Malware Discovery and Basic Malware Analysis Training

Do you want to know how to find malware?  Improve your malware hunting skills?  Learn from those that have had to deal with the worst kind of malware?

Austin, TX. Oct 5-6, 2015

Round Rock Wingate Conference Center (BSides Austin location)

Malware Discovery is an essential skill for today’s InfoSec and IT professionals. Many malware courses start you off with an infected system and how to deep analyze or even reverse engineer the malware.

This course focuses on how to discover if a system has malware and then how to do basic malware analysis and build a simple lab to do testing in. The goal being speed so you can get back to other tasks.  We will look at what tools you need, the techniques and steps to analyze malware so you can determine if a system is clean or truly infected.

This course is intended for everyday commodity malware that you might get in email or surfing, to advanced malware in a targeted attack. The focus will be on Windows systems; but will touch on some tools for Apple and Linux systems as well.


  • $199 per person
  • $99 for ISSA, OWASP & InfraGard members with discount code

Course Requirements:

  • Bare Bones system running Windows

  • Laptop running a Virtual Machine (VirtualBox, VMWare, Parallels, etc.)

  • Guest VM Running Windows7 or later

  • A list of tools will be provided on DVD day of the training or can be downloaded from Malware Archaeology the week of the training.

  • Malware samples will be provided

  • A Cloud Server for infecting is optional