olafhartong/sysmon-modular: A repository of sysmon configuration modules
Book 2
GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing
Greater Visibility Through PowerShell Logging | Mandiant
CyberChef
The Key to Identify PsExec
Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits
Windows Event ID 1029 Hashes
'Applied Incident Response Scripts
Appendix L - Events to Monitor
Windows Security Log Encyclopedia
Windows event log analyst reference
20170612ac ir research en
Event Log
AmCache Investigation - SANS Digital Forensics & Incident Response Summit 2019
GitHub - Yamato-Security/EnableWindowsLogSettings: Documentation and scripts to properly enable Windows event logs.
Documentation and scripts to properly enable Windows event logs. - GitHub - Yamato-Security/EnableWindowsLogSettings: Documentation and scripts to properly enable Windows event logs.
Tuned and curated Winlogbeats config file
Tuned and curated Winlogbeats config file · GitHub
GitHub - olafhartong/sysmon-modular: A repository of sysmon configuration modules
A repository of sysmon configuration modules. Contribute to olafhartong/sysmon-modular development by creating an account on GitHub.
Windows 10 and Windows Server 2016 security auditing and monitoring reference
This reference details most advanced security audit events for Windows 10 and Windows Server 2016.
Tech Tuesday Workshop Cobalt Strike Detection via Log Analysis | SANS Institute
Tech Tuesday Workshop Cobalt Strike Detection via Log Analysis
wevtutil
Reference article for wevtutil, which lets you retrieve information about event logs and publishers.
Windows Security Log Encyclopedia
Jessica Payne on Twitter
When reading reports about fantastically clever and innovative malware, it’s easy to lose sight of the fact a lot of it got installed by attackers with Domain Admin. Don’t forget that the last stage wizardry often is preceded by 90% of the attack you can detect and mitigate.— Jessica Payne (@jepayneMSFT) May 9, 2019
GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing
Sysmon configuration file template with default high-quality event tracing - GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing
GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. - GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports f...
GitHub - ANSSI-FR/bmc-tools: RDP Bitmap Cache parser
RDP Bitmap Cache parser. Contribute to ANSSI-FR/bmc-tools development by creating an account on GitHub.
Offensive Lateral Movement
Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to…
InfoSec Handlers Diary Blog - SANS Internet Storm Center
Analyzing Quarantine Files, Author: Didier Stevens