employee misconduct investigation

employee misconduct investigation

The Skadi ELK Stack authored by Mr. Alan Orlikoski https://github.com/orlikoski is a phenomenal means of conducting in-depth triage across numerous Hosts in an effort to identify anomalies or suspicious behavior, occurring on critical servers and/or endpoints.


The below-denoted query is capable of identifying external logons, emanating from the Internet, to Internal Hosts on the core network:


source_name:"Microsoft-Windows-Security-Auditing" AND +(event_identifier:4624) (xml_string:"\>Data Name=\"LogonType\"\>2\" OR xml_string:"\>Data Name=\"LogonType\"\>3\" OR xml_string:"\>Data Name=\"LogonType\"\>4\" OR xml_string:"\>Data Name=\"LogonType\"\>5\" OR xml_string:"\>Data Name=\"LogonType\"\>7\" OR xml_string:"\>Data Name=\"LogonType\"\>8\" OR xml_string:"\>Data Name=\"LogonType\"\>10\" OR xml_string:"\>Data Name=\"LogonType\"\>11\") NOT xml_string:"\-\" NOT /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.16\.[0-9]{1,3}\.[0-9]{1,3}|172\.17\.[0-9]{1,3}\.[0-9]{1,3}|172\.18\.[0-9]{1,3}\.[0-9]{1,3}|172\.19\.[0-9]{1,3}\.[0-9]{1,3}|172\.20\.[0-9]{1,3}\.[0-9]{1,3}|172\.21\.[0-9]{1,3}\.[0-9]{1,3}|172\.22\.[0-9]{1,3}\.[0-9]{1,3}|172\.23\.[0-9]{1,3}\.[0-9]{1,3}|172\.24\.[0-9]{1,3}\.[0-9]{1,3}|172\.25\.[0-9]{1,3}\.[0-9]{1,3}|172\.26\.[0-9]{1,3}\.[0-9]{1,3}|172\.27\.[0-9]{1,3}\.[0-9]{1,3}|172\.28\.[0-9]{1,3}\.[0-9]{1,3}|172\.29\.[0-9]{1,3}\.[0-9]{1,3}|172\.30\.[0-9]{1,3}\.[0-9]{1,3}|127\.0\.0\.1|172\.31\.[0-9]{1,3}\.[0-9]{1,3}|fe80)/ NOT /(224\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|225\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|226\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|227\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|228\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|229\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|230\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|231\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|232\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|233\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|234\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|235\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|236\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|237\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|238\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|239\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.255)/ NOT (xml_string:"\::1\")





Happy Hunting!


The Aeropegus Team will be providing additional queries in the near future.

Comments

Post a Comment

Popular posts from this blog

How To Have Shiny, Healthy Hair This Summer

Image
  The summer heat is wonderful for our tans, however not therefore wonderful for our hair. because the air   dries up, therefore will hair. It are often a trouble to stay your Hair Extensions Ottawa throughout these   muggy months, still as finding the time and cash to stay upkeeping it. This doesn't mean it’s not possible to own shiny locks this summer With simply a couple of steps you'll keep your hair glowing all season.   Tips on a way to Have Shiny Hair this Summer:   Hair Masks: Healthy hair needs plenty of association. Hair masks will fill your hair with oils and nutrients that will be lacking from everyday wear. you ought to apply a mask weekly, mistreatment Associate in Nursing application of your alternative. Maintenance: There square measure a couple of belongings you will do between styling your Hair Extensions Ottawa that may facilitate maintain the shine and health. shift out your regular pillow slip for a silk cowl can exponentially improv...
Read more

Full Service for Smooth Operations

Image
  Digital Forensic Services Even during the most painstakingly thorough work of the computer forensics following a cyber-attack, our team operates with minimal disruption to your organization. Aeropagus offers a full range of digital forensic services , including, but not limited to:   Incident response Insider threat Employee misconduct Intellectual property theft Divorce Proceedings Threat Hunting Internal & External Threats Due to the constantly changing threat landscape in today’s network environments, Threat Hunting has become a necessity in an ongoing effort of identifying internal and external threats lurking in your network. Aeropagus has experts in:   Linux, Windows, and Macintosh Platforms (On-Site or Remote Delivery of Services) Examination of Windows Event Logs Examination of Linux Event Logs Examination of Macintosh Event Logs Examination of Processes & Connections in Memory Examination of File System Metadata for P...
Read more