In looking into compromised systems, often what is needed by incident responders and investigators is not enabled or configured when it comes to logging.  To help get system logs properly Enabled and Configured, below are some cheat sheets to help you do logging well and so the needed data we all need is there when we look.

Cheat Sheets to help you in configuring your systems:


Update Log:

WLCS: Oct 2016 ver 2.1

  • Updated new Windows 10 auditing
  • Adjust a couple settings
  • Added TaskScheduler info

WFACS: Oct 2016 ver 1.2

  • Added a few new locations

WRACS: oct 2016 ver 1.2

  • Added many autorun keys
  • Sorted the keys better

WSLCS: Feb 2016 ver 1.1

  • Updated Windows commands exploited by hackers

WLCS: Jan 2016 ver 2.0

  • Added Event code 4720 - New user account created
  • Changed references to File and Registry auditing to point to the new File and Registry auditing Cheat Sheets
  • Expanded info on Command Line Logging

WRACS: Jan 2016 ver 1.1

  • Sort HKLM Keys
  • Added keys to monitor PowerShell and Command Line log settings
  • Updated HKCU and USERs\.DEFAULT info
  • Added info about HKCU unable to be set in Security Templates
  • Added PowerShell script to set HKCU Registry Auditing