Windows security - PSJoshi/Notes GitHub Wiki

• Track Process Creation and Exit Time Using Process Monitor - http://www.winhelponline.com/blog/procmon-track-process-creation-exit-time/#
• Find If a Unknown CMD Window That Opened and Closed Immediately Was a Scheduled Task - http://www.winhelponline.com/blog/find-unknown-program-open-and-close-immediately/
• How to find malicious site using Thug client - http://909research.com/how-to-use-thug-honeyclient/
• Find windows PC is infected or not quickly - http://909research.com/find-a-windows-infection-quickly-part-2-with-tools/
• SysMon - Best Windows monitoring tools - http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/
• Usage of foremost on USB stick to detect malware - http://909research.com/using-foremost-for-usb-file-carving/
• Firefox browser - interesting security settings - http://909research.com/firefox-browser-opsec-setup/
• Get control of your servers - https://github.com/firehol/netdata
• Certificate monitoring using Facebook - https://developers.facebook.com/tools/ct/
• Detecting expired certificates - https://serverlesscode.com/post/ssl-expiration-alerts-with-lambda/
• Implementing inexpensive honeytrap techniques - https://serverlesscode.com/post/ssl-expiration-alerts-with-lambda/

Windows API call monitoring

• http://www.rohitab.com/downloads
• http://softwarerecs.stackexchange.com/questions/27217/software-to-monitor-windows-api-calls-on-a-windows-7
• http://stackoverflow.com/questions/10069796/api-monitoring-on-a-specific-process
• https://www.lastline.com/papers/2015_kharraz_robertson_balzarotti_bilge_kirda_ransomware.pdf

Disable Windows telemetry

• https://github.com/szotsaki/windows-telemetry-removal/blob/master/WindowsTelemetryRemoval.bat
• https://www.ghacks.net/2017/02/11/blocking-telemetry-in-windows-7-and-8-1/
• https://superuser.com/questions/972501/how-to-stop-microsoft-from-gathering-telemetry-data-from-windows-7-8-and-8-1

Disable ipv6 on Windows

• https://techjourney.net/disable-turn-off-ipv6-support-in-windows-10-8-1-8-7-vista/

Command line logging

To enable the Audit Process Creation policy, edit the following group policy: Policy location: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking Policy Name: Audit Process Creation

• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

Monitoring of Windows logs

• Windows event logging and forwarding - https://www.cyber.gov.au/sites/default/files/2019-10/PROTECT%20-%20Windows%20Event%20Logging%20and%20Forwarding%20%28April%202019%29_0.pdf

• Windows event log analysis - https://www.forwarddefense.com/pdfs/Event_Log_Analyst_Reference.pdf

• Spotting the advesary using windows event logs - https://msdnshared.blob.core.windows.net/media/2017/10/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf

• https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

• Event log management - https://www.ipswitch.com/Ipswitch/media/Ipswitch/Documents/Resources/Whitepapers%20and%20eBooks/ELM_Security_WP.pdf?ext=.pdf