I have added a list and links of additional Cheat Sheets for various security and DFIR purposes for Windows, macOS and Linux as well as Cloud.
Malware Discovery Course at BSides OK
Are you wanting to learn how to discover if malware is on a system? Want to up your skills? We are teaching a course at BSides OK April 3rd and 4th, 2024 - Glenpool Conference Center. The Con is Friday Apr 4th. See you there!
For more information:
https://www.malwarearchaeology.com/md-training
https://bsidesok.com/
Crowdstrike Logscale Windows Logging Cheat Sheet Released - New for 2024 with Beats v7 agent info!
New for 2024 is the addition of a Crowdstrike Logscale Windows Logging Cheat Sheet (formerly Humio). The cheat sheet has the latest queries and information to get started using Logscale for your logging needs. The queries use the latest Beats v7 field names. Lots of good info to get you started using the FREE solution from Crowdstrike to log your personal home systems, lab or test for using at your place of business. This is a powerful platform to log all-the-things and the new cheat sheet helps you log some of the right things!
Beats yaml files updated for version 7 beats agents
If you are using Beats version 7 and want sample WinLogBeats and FileBeats yaml files, there are now 2 new files for you to use.
FileBeat - Has examples of text file and CSV log file collections and exclusions including collection of the Beats logs
WinLogBeat - Has examples based on the logging cheat sheets and Sysmon to collect various log Event IDs and examples of tuning exclusions
See the updates on the Logging Page
Upcoming Training for 2020
BSides OK in Tulsa - April 8-9, - Malware Discovery 2 Days - POSTPONED - TBD
HouSecCon in Houston - May 5th - Preparing for a Ransomware or malware Incident 1 Day - POSTPONED - TBD
Windows Registry Auditing Cheat Sheet updated for Aug 2019 v2.5
The Windows Registry Auditing Cheat Sheet has been updated to include a few new items to monitor for malicious activity. Keep in mind when applying to the users space, that the current user (HKCU) is the one logged in. Any other users you want to set Registry auditing on you must do so under HKU/GUID, so you must know their user GUID or use a script that crawls all the GUID and applies the settings.
You can get the new Cheat Sheet HERE:
Training at BSides OK April 10th-11th 2018
Malware Discovery and Basic Analysis
When: April 10th-11th 2018
Where: BSides OK (Just southwest of Tulsa)
Glenpool Conference Center in Glenpool, OK
Hotel - Holiday Inn Express & Suites Glenpool Tulsa South (next door)
Course Description:
Malware Discovery and Malware Analysis is an essential skill for today’s Information Security, Security Operations Center (SOC), and IT professionals. This course is perfect for people wanting to improve and get faster at Incident Response.
This course focuses on performing fast triage and how to discover if a system has malware, how to build a malware analysis lab and perform basic malware analysis quickly. The goal and objective to apply the results to Malware Management with actionable information to improve your Information Security program. Tools and techniques used and steps to analyze malware to determine if a system is clean or truly infected will be covered. The concept of Malware Management, Malware Discovery and Basic Malware Analysis will be discussed with exercises linking the three concepts together.
Training in Houston April 9th, 2018
MITRE ATT&CK, What is it, how to use and apply it to your organization
When: April 9th, 2018 (1-Day)
Where: HouSecCon Marriott Marquis Houston
Course Description:
Mitre has created the “Adversarial Tactics, Techniques & Common Knowledge” (ATT&CK) to help security practitioners understand the actual techniques and tactics that adversaries use against us. The advantage of ATT&CK is it allows us to build a framework to understand how we might detect, respond, and prevent many of the tactics. Creating your own ATT&CK framework provides for a way for us to map what technologies, procedures, playbooks, reports/queries, and alerts we have, and then map any gaps that we have that then can be addressed.
Upcoming Training is San Antonio
We are working with the Alamo ISSA Chapter to put on a 1-Day training. Staay tuned for details and follow us on twitter.
Windows Incident Response and Logging Training - Houston Weds Mar 22nd
As a part of HouSeCon at the Derek hotel we are putting on a 1 Day 'Windows Incident Response and Logging' course to help attendees get up to speed on basic IR concepts and to answer 5 questions about Windows logging and auditing;
- Why is Windows audit logging so important
- How do you check a Windows system for proper audit logging?
- Where do you get the information on what to set for proper audit logging
- How do you set the proper things for proper audit logging
- What tools can be used to view the audit logs
You can sign up here for the training:
And sign up for the conference on Thursday here:
Malware Discovery and Windows Incident Response & Logging Training - Austin Dec 12-14
Malware Archaeology in conjunction with Capitol of Texas ISSA chapter is hosting a Malware Discovery and Basic Analysis 2 day class and Windows Incident Response and Logging 1 day class at the Wingate in Round Rock.
Looking to up your malwarez hunting skillz and learn some basics about Windows Incident Response and become a Windows logging guru, come to this class and learn how the blue teamers do it and catch the bad guys.
More info on the Austin ISSA website and register here:
LOG-MD selected for Blackhat Arsenal based on the 'Windows Logging Cheat Sheet'
Come on by Blackhat Arsenal Thursday and check out LOG-MD in action with the latest version on how to check, set, and harvest malwarious activity on Windows systems.
LOG-MD
Michael Gough & Brian Boettcher
Palm Foyer, Level 3, Station 8
16:00 - 17:50
Based on the 'Windows Logging Cheat Sheet' LOG-MD audits a Windows system for compliance to the 'Windows Logging Cheat Sheet', CIS, US-GCB and AU-ACSC standards, and if it fails creates a nice report to help you know what to set and then guides you where to set the items needed to pass the audit check. Once properly configured, LOG-MD then harvests security related log data to help you investigate a suspect system.
In addition LOG-MD can perform full file system hashing to create a baseline that can be used to compare against a suspect system. LOG-MD can also baseline the registry and compare a suspect system registry to a known good baseline to find altered settings and even look for LARGE Reg keys where malware is hiding payloads.
Come by Blackhat Arsenal and check us out and maybe get a goody too ;-)
Malware Discovery Training coming to Austin, TX. Oct/Nov
Austin - Oct/Nov 2016 - Sponsored by the ISSA Capitol of Texas chapter
Wingate Round Rock Conference Center
Oct 3rd thru 5th, 2016 (Tentative date, it may have to move to a later date)
More information and registration here:
Malware Discovery Training coming to Oklahoma City July 18-20
Oklahoma City - Malware Discovery and Basic Malware Analysis
George Epperly Business Building - Rose State College - 6420 Southeast 15th Street, Midwest City, OK 73110
- July 18th-19th 2016 - Sponsored by the ISSA OKC chapter
Oklahoma City - Windows Incident Response and Logging
- July 20th 2016 - Sponsored by the ISSA OKC chapter
ISSA-OKC website
More information and register here:
Links to some of our presentations now posted
You can now get the links to some of our recent presentations here:
Great shout out from Paul and John on the Security Weekly Enterprise Podcast Episode 5
Paul Asadoorian and John Strand discussing Log Management and SIEM mention the Cheat Sheets to help you know what to set and look for in your Windows logs. Thanks gents, I guess it is time to come on the PodCast and let you know what we are up to.
It is important to point out that you cannot start to gain the benefit of your Log Management solution or SIEM until you enable and configure your Windows log setting per the Cheat Sheets found here:
#Happy Hunting
Windows Top 10 Events to monitor from My Dell Enterprise Security Summit Talk
Here is the presentation from the talk I gave at the Dell Enterprise Security Summit in Atlanta April 21, 2016.
Malware Discovery and Basic Malware Analysis Training - May 19th-20th in Houston, TX.
We are hosting another Malware Discovery and Basic Analysis class in Houston at Rice University.
When: May 19th-20th 2016
Sponsored by: the ISSA South Texas chapter.
Register here:
Follow our updates via our RSS feed
If you want to keep up on the updates of Malware Reports, Training, our Cheat Sheets and other updates, add our site to your favorite RSS Reader.
More Malware Analysis Reports added
A couple more reports have been added to help you with Malware Management. Malware Management can help you understand and know WHERE to look and WHAT to look for when it comes to a possibly infected system. You can read about Malware Management here:
You can find the updated Malware Analysis reports here:
Also updated was the "Windows Splunk Logging Cheat Sheet" to expand on the Windows commands abused by hackers. You can get the Cheat Sheets here:
And you can read a blog entry about Windows commands abused by hackers over at HackerHurricane.com: