Windows Event Monitoring

Windows.Events.DNSQueries

Monitor all DNS Queries and responses.

This artifact monitors all DNS queries and their responses seen on the endpoint. DNS is a critical source of information for intrusion detection and the best place to collect it is on the endpoint itself (Perimeter collection can only see DNS requests while the endpoint or laptop is inside the enterprise network).

It is recommended to collect this artifact and just archive the results. When threat intelligence emerges about a watering hole or a bad C&C you can use this archive to confirm if any of your endpoints have contacted this C&C.

Arg Default Description
whitelistRegex wpad.home We ignore DNS names that match this regex.
View Artifact Source

Windows.Events.FailedLogBeforeSuccess

Sometimes attackers will brute force an local user’s account’s password. If the account password is strong, brute force attacks are not effective and might not represent a high value event in themselves.

However, if the brute force attempt succeeds, then it is a very high value event (since brute forcing a password is typically a suspicious activity).

On the endpoint this looks like a bunch of failed logon attempts in quick succession followed by a successful login.

NOTE: In order for this artifact to work we need Windows to be logging failed account login. This is not on by default and should be enabled via group policy.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

You can set the policy in group policy managment console (gpmc): Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

Arg Default Description
securityLogFile C:/Windows/System32/Winevt/Logs/Security.evtx
failureCount 3 Alert if there are this many failures before the successful logon.
failedLogonTimeWindow 3600
View Artifact Source

Windows.Events.ProcessCreation

Collect all process creation events.

Arg Default Description
wmiQuery SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA ‘Win32_Process’
eventQuery SELECT * FROM Win32_ProcessStartTrace
View Artifact Source

Windows.Events.ServiceCreation

Monitor for creation of new services.

New services are typically created by installing new software or kernel drivers. Attackers will sometimes install a new service to either insert a malicious kernel driver or as a persistence mechanism.

This event monitor extracts the service creation events from the event log and records them on the server.

Arg Default Description
systemLogFile C:/Windows/System32/Winevt/Logs/System.evtx
View Artifact Source