How To Threat Hunt for Malicious Account Usage Using the Windows Event Logs

Описание к видео How To Threat Hunt for Malicious Account Usage Using the Windows Event Logs

The Windows event logs are a powerful funnel point for identifying hackers that leverage Windows accounts for access, lateral movement, and in other attack stages. In this edition of #TeckTalkTuesday, we explore logs within the advanced audit policy settings you can add to your threat hunting and incident response program to uncover attacker use of both domain-joined and local Windows accounts.

Please like and subscribe to support our channel!

Follow us on Twitter:   / insaneforensics  
Follow us on LinkedIn:   / insane-forensics  
Hire us for your next threat hunt: https://insaneforensics.com/

Chapters:
00:00 - Intro
00:24 - Why Windows Account Auditing Matters
01:32 - Considerations When Using Event Logs to Detect Account Compromise
05:05 - Enabling Windows Auditing Events
06:15 - Windows Event Log IDs Associated with Account Auditing
08:33 - Using Windows Event ID 4720 to Log Successful Account Creation
11:11 - Using Windows Event ID 4798 to Identify User Group Membership Enumeration
13:34 - Using Windows Event ID 4740 to Monitor Malicious User Account Lock Out
16:11 - Using Windows Event ID 4738 to Monitor User Account Changes
18:11 - Wrapping Up

Комментарии

Информация по комментариям в разработке

Похожие видео