Happy New Year everyone!
We have added two new cheat sheets and an update to the "Windows Logging Cheat Sheet" to kick off the new year!
To continue our efforts in providing the community with information that can help people improve their logging capabilities, thus improving their overall security posture, we have released these two new cheat sheets focused on getting people started with file and registry auditing.
Why do file and registry auditing? Because there are common locations you can audit that will catch the bulk of commodity malware and many advanced malware artifacts. By configuring strategic auditing on key file directories and autorun registry locations, you can catch file drops as they happen and registry keys used to launch the malware.
Take the Dec 2015 Dridex malware variant where the malware created a file and registry entry when the system shutdown or was rebooted. How would you detect this type of infection when the malware is only in memory while the system is running? File auditing on the %AppData% or AppData\Roaming directory would catch the malware being written back to disk and the launching command in the HKCU Run key on reboot or shutdown and again being deleted on startup. You do not have to audit the entire disk or registry to do effective auditing, just key places that are known to be used in commodity and more advanced malware. Practice Malware Management to improve and expand your auditing rules.
Read more on the Dec Dridex malware on Michael's HackerHurricane blog here:
Read more on Malware Management here:
Auditing does not have to eat up your log management license because well tuned auditing adds very little to the logs. Event ID's 4663 (file) and 4657 (registry) are what will be added to the logs when auditing is used. Of course, tweak your auditing rules to only collect what you need and remove unnecessary locations. You should increase your local maximum Security log size to 1GB in order to collect enough events before the logs rotate, shooting for roughly 7 days of logs or more to be stored locally.
To refine your file and registry logging, use LOG-MD to evaluate what is being collected and tweak the auditing to reduce noisy folders, files and keys and collect only what is important to monitor security wise. LOG-MD may be fond here: