olafhartong/sysmon-modular: A repository of sysmon configuration modules
OnDemand
GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing
Greater Visibility Through PowerShell Logging | Mandiant
CyberChef
The Key to Identify PsExec
Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits
Windows Event ID 1029 Hashes
'Applied Incident Response Scripts
Appendix L - Events to Monitor
Windows Security Log Encyclopedia
Windows event log analyst reference
20170612ac ir research en
Event Log
AmCache Investigation - SANS Digital Forensics & Incident Response Summit 2019