all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

ETW Integrity Hunting Tip: Microsoft-Windows-Security-Auditing publisher

Add to bookmarks
March 8, 2023, 6:02 a.m. | /u/digicat

For [Blue|Purple] Teams in Cyber Defence www.reddit.com

*" One thing that I stumbled upon which I haven't seen before was if I messed with the registry key associated with Microsoft-Windows-Security-Auditing publisher, I could stop the security log from logging those pesky 4688s and 4624s even after a reboot without disabling the EventLog Service. In this case, our detection opportunity is now EID 1108 and 1107 (depending on the version of Windows) in the Security log.*


*So if you find those EID's in your environment, check Sec publisher …

auditing blueteamsec case detection eid eventlog eventlog service find hunting integrity key log logging microsoft opportunity publisher reboot registry registry key security service version windows

Visit resource

More from www.reddit.com / For [Blue|Purple] Teams in Cyber Defence

Any tips for doing a living off the land threat hunt on your own computer? 9 hours ago | www.reddit.com
blueteamsec clients computer computers +18
A Summary of 6 Months Tracking AiTM Campaigns 21 hours ago | www.reddit.com
aitm blueteamsec campaigns tracking
Unpacking with Windows Defender 1 day, 3 hours ago | www.reddit.com
blueteamsec defender unpacking windows +1
How Lazarus Group laundered $200M from 25 hacks 1 day, 4 hours ago | www.reddit.com
blueteamsec hacks lazarus lazarus group
Recommendations for SIEM Architecture Books 1 day, 7 hours ago | www.reddit.com
alternatives architecture blueteamsec books +11
How to Block Residential Proxies using Okta 2 days, 13 hours ago | www.reddit.com
block blueteamsec okta proxies
2024 Cyber Insurance Claims Report 3 days, 3 hours ago | www.reddit.com
blueteamsec claims cyber cyber insurance +2
Just-in-Time admin and production access using Azure PIM 3 days, 19 hours ago | www.reddit.com
access admin azure blueteamsec +3
Hackers use developing countries as testing ground for new ransomware attacks 3 days, 23 hours ago | www.reddit.com
attacks blueteamsec countries developing countries +4

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

Social Engineer For Reverse Engineering Exploit Study

@ Independent study | Remote
View on infosec-jobs.com

Application Security Engineer - Remote Friendly

@ Unit21 | San Francisco,CA; New York City; Remote USA;
View on infosec-jobs.com

Cloud Security Specialist

@ AppsFlyer | Herzliya
View on infosec-jobs.com

Malware Analysis Engineer - Canberra, Australia

@ Apple | Canberra, Australian Capital Territory, Australia
View on infosec-jobs.com

Product CISO

@ Fortinet | Sunnyvale, CA, United States
View on infosec-jobs.com

Manager, Security Engineering

@ Thrive | United States - Remote
View on infosec-jobs.com
View more jobs