tag:blogger.com,1999:blog-6244942915864113008.post693438267904897870..comments2021-05-24T11:10:43.473-07:00Comments on DFIR and Threat Hunting: Patterns of BehaviorUnknownnoreply@blogger.comBlogger12125tag:blogger.com,1999:blog-6244942915864113008.post-32620857443665374072017-03-02T12:33:02.313-08:002017-03-02T12:33:02.313-08:00Your idea of capturing behaviors on patterns doesn...Your idea of capturing behaviors on patterns doesn´t resemble with the idea of Indicators of Attack (https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/)?Nicholshttp://www.sparksecurity.com.br/noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-59153383306707068912017-02-27T13:21:17.792-08:002017-02-27T13:21:17.792-08:00Thanks Ryan!Thanks Ryan!Jack Crookhttps://www.blogger.com/profile/12833839809413917819noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-17292383273940362012017-02-27T10:31:46.777-08:002017-02-27T10:31:46.777-08:00Solid! As always :)Solid! As always :)Ryan Stillionshttps://www.blogger.com/profile/12245411525304052957noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-65770747194612164962017-02-25T10:43:28.710-08:002017-02-25T10:43:28.710-08:00Thanks for the comment. Before enabling I would re...Thanks for the comment. Before enabling I would recommend understanding the impact it may have. The settings for these logs to be produced are in the Advanced Audit Policy settings. Here are some good links for better understanding of each.<br /><br />https://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx<br /><br />Object Access <br />https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-5140<br />https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-5145<br />https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4698<br /><br />Detailed Tracking<br />https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4688<br /><br />Hope that helps<br /><br />Jack Crookhttps://www.blogger.com/profile/12833839809413917819noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-69240038362797210752017-02-25T10:41:51.440-08:002017-02-25T10:41:51.440-08:00This comment has been removed by the author.Jack Crookhttps://www.blogger.com/profile/12833839809413917819noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-69078368009257555222017-02-25T07:32:03.582-08:002017-02-25T07:32:03.582-08:00This is really great stuff & very useful. Than...This is really great stuff & very useful. Thank you.<br />I don't want to sound like we want spoon feeding, but it would be generally helpful to also specify what the auditpol settings needs to be (on server or on workstation) to get the necessary Event IDs generated.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-62531525992924336342017-02-13T09:56:52.010-08:002017-02-13T09:56:52.010-08:00Yes , but as a SOC team we have the right to audit...Yes , but as a SOC team we have the right to audit all useful logs and also help the DFIR team. Teck0https://www.blogger.com/profile/15546611396432938733noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-10068830022219224232017-02-13T06:54:19.427-08:002017-02-13T06:54:19.427-08:00My hope is that by sharing the value of these logs...My hope is that by sharing the value of these logs some may be able to implement the collection of them.Jack Crookhttps://www.blogger.com/profile/12833839809413917819noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-51051307217439386982017-02-13T06:10:03.553-08:002017-02-13T06:10:03.553-08:00Good stuff; unfortunately, when doing DFIR analysi...Good stuff; unfortunately, when doing DFIR analysis, I don't often see systems where clients have the necessary auditing enabled to populate the logs with the identified events...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-18390475793652841072017-02-13T04:08:31.631-08:002017-02-13T04:08:31.631-08:00Yes , this pipe was used when you create a service...Yes , this pipe was used when you create a service by remote like " sc \\x.x.x.x create" .that's why i think it was very important. If you use for instance wireshark into two machines with the filter svcctl you can collect all the useful data like you did for atsvc,srvsvc and so on. Teck0https://www.blogger.com/profile/15546611396432938733noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-40782759610942579642017-02-13T02:41:31.333-08:002017-02-13T02:41:31.333-08:00Sorry, I've not come across it in any of the t...Sorry, I've not come across it in any of the testing that I have done (or at least don't recall it). Is there a particular reason you're looking for that pipe?Jack Crookhttps://www.blogger.com/profile/12833839809413917819noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-24816110677373075802017-02-12T16:04:09.151-08:002017-02-12T16:04:09.151-08:00Thanks for you article. Do you have check what se...Thanks for you article. Do you have check what sequence of eid 5145 it generated when you create a service by remote via svcctl named pipe ?Teck0https://www.blogger.com/profile/15546611396432938733noreply@blogger.com