security Windows

7 May 2018
https://www.sans.org/reading-room/whitepapers/microsoft/securing-windows-10-giac-enterprise-endpoint-ise-m-6100-security-project-practicum-technical-paper-36592

Language exchange communities

12 March 2018

https://www.interpals.net/

www.mylanguageexchange.com

https://www.hellolingo.com

https://www.conversationexchange.com/search.php?lg=en

https://www.italki.com/home

Events to Monitor

Windows | 10 February 2018

source: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

Appendix L: Events to Monitor

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Appendix L: Events to Monitor

The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise. In the following table, the "Current Windows Event ID" column lists the event ID as it is implemented in versions of Windows and Windows Server that are currently in mainstream support.

The "Legacy Windows Event ID" column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier. The "Potential Criticality" column identifies whether the event should be considered of low, medium, or high criticality in detecting attacks, and the "Event Summary" column provides a brief description of the event.

A potential criticality of High means that one occurrence of the event should be investigated. Potential criticality of Medium or Low means that these events should only be investigated if they occur unexpectedly or in numbers that significantly exceed the expected baseline in a measured period of time. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of High may occur due to other harmless events.

       
Current Windows Event ID Legacy Windows Event ID Potential Criticality Event Summary
4618 N/A High A monitored security event pattern has occurred.
4649 N/A High A replay attack was detected. May be a harmless false positive due to misconfiguration error.
4719 612 High System audit policy was changed.
4765 N/A High SID History was added to an account.
4766 N/A High An attempt to add SID History to an account failed.
4794 N/A High An attempt was made to set the Directory Services Restore Mode.
4897 801 High Role separation enabled:
4964 N/A High Special groups have been assigned to a new logon.
5124 N/A High A security setting was updated on the OCSP Responder Service
N/A 550 Medium to High Possible denial-of-service (DoS) attack
1102 517 Medium to High The audit log was cleared
4621 N/A Medium Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
4675 N/A Medium SIDs were filtered.
4692 N/A Medium Backup of data protection master key was attempted.
4693 N/A Medium Recovery of data protection master key was attempted.
4706 610 Medium A new trust was created to a domain.
4713 617 Medium Kerberos policy was changed.
4714 618 Medium Encrypted data recovery policy was changed.
4715 N/A Medium The audit policy (SACL) on an object was changed.
4716 620 Medium Trusted domain information was modified.
4724 628 Medium An attempt was made to reset an account's password.
4727 631 Medium A security-enabled global group was created.
4735 639 Medium A security-enabled local group was changed.
4737 641 Medium A security-enabled global group was changed.
4739 643 Medium Domain Policy was changed.
4754 658 Medium A security-enabled universal group was created.
4755 659 Medium A security-enabled universal group was changed.
4764 667 Medium A security-disabled group was deleted
4764 668 Medium A group's type was changed.
4780 684 Medium The ACL was set on accounts which are members of administrators groups.
4816 N/A Medium RPC detected an integrity violation while decrypting an incoming message.
4865 N/A Medium A trusted forest information entry was added.
4866 N/A Medium A trusted forest information entry was removed.
4867 N/A Medium A trusted forest information entry was modified.
4868 772 Medium The certificate manager denied a pending certificate request.
4870 774 Medium Certificate Services revoked a certificate.
4882 786 Medium The security permissions for Certificate Services changed.
4885 789 Medium The audit filter for Certificate Services changed.
4890 794 Medium The certificate manager settings for Certificate Services changed.
4892 796 Medium A property of Certificate Services changed.
4896 800 Medium One or more rows have been deleted from the certificate database.
4906 N/A Medium The CrashOnAuditFail value has changed.
4907 N/A Medium Auditing settings on object were changed.
4908 N/A Medium Special Groups Logon table modified.
4912 807 Medium Per User Audit Policy was changed.
4960 N/A Medium IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
4961 N/A Medium IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
4962 N/A Medium IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
4963 N/A Medium IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
4965 N/A Medium IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
4976 N/A Medium During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4977 N/A Medium During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4978 N/A Medium During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4983 N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
4984 N/A Medium An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
5027 N/A Medium The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028 N/A Medium The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029 N/A Medium The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030 N/A Medium The Windows Firewall Service failed to start.
5035 N/A Medium The Windows Firewall Driver failed to start.
5037 N/A Medium The Windows Firewall Driver detected critical runtime error. Terminating.
5038 N/A Medium Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
5120 N/A Medium OCSP Responder Service Started
5121 N/A Medium OCSP Responder Service Stopped
5122 N/A Medium A configuration entry changed in OCSP Responder Service
5123 N/A Medium A configuration entry changed in OCSP Responder Service
5376 N/A Medium Credential Manager credentials were backed up.
5377 N/A Medium Credential Manager credentials were restored from a backup.
5453 N/A Medium An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
5480 N/A Medium IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
5483 N/A Medium IPsec Services failed to initialize RPC server. IPsec Services could not be started.
5484 N/A Medium IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5485 N/A Medium IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
6145 N/A Medium One or more errors occurred while processing security policy in the Group Policy objects.
6273 N/A Medium Network Policy Server denied access to a user.
6274 N/A Medium Network Policy Server discarded the request for a user.
6275 N/A Medium Network Policy Server discarded the accounting request for a user.
6276 N/A Medium Network Policy Server quarantined a user.
6277 N/A Medium Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278 N/A Medium Network Policy Server granted full access to a user because the host met the defined health policy.
6279 N/A Medium Network Policy Server locked the user account due to repeated failed authentication attempts.
6280 N/A Medium Network Policy Server unlocked the user account.
- 640 Medium General account database changed
- 619 Medium Quality of Service Policy changed
24586 N/A Medium An error was encountered converting volume
24592 N/A Medium An attempt to automatically restart conversion on volume %2 failed.
24593 N/A Medium Metadata write: Volume %2 returning errors while trying to modify metadata. If failures continue, decrypt volume
24594 N/A Medium Metadata rebuild: An attempt to write a copy of metadata on volume %2 failed and may appear as disk corruption. If failures continue, decrypt volume.
4608 512 Low Windows is starting up.
4609 513 Low Windows is shutting down.
4610 514 Low An authentication package has been loaded by the Local Security Authority.
4611 515 Low A trusted logon process has been registered with the Local Security Authority.
4612 516 Low Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4614 518 Low A notification package has been loaded by the Security Account Manager.
4615 519 Low Invalid use of LPC port.
4616 520 Low The system time was changed.
4622 N/A Low A security package has been loaded by the Local Security Authority.
4624 528,540 Low An account was successfully logged on.
4625 529-537,539 Low An account failed to log on.
4634 538 Low An account was logged off.
4646 N/A Low IKE DoS-prevention mode started.
4647 551 Low User initiated logoff.
4648 552 Low A logon was attempted using explicit credentials.
4650 N/A Low An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
4651 N/A Low An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
4652 N/A Low An IPsec Main Mode negotiation failed.
4653 N/A Low An IPsec Main Mode negotiation failed.
4654 N/A Low An IPsec Quick Mode negotiation failed.
4655 N/A Low An IPsec Main Mode security association ended.
4656 560 Low A handle to an object was requested.
4657 567 Low A registry value was modified.
4658 562 Low The handle to an object was closed.
4659 N/A Low A handle to an object was requested with intent to delete.
4660 564 Low An object was deleted.
4661 565 Low A handle to an object was requested.
4662 566 Low An operation was performed on an object.
4663 567 Low An attempt was made to access an object.
4664 N/A Low An attempt was made to create a hard link.
4665 N/A Low An attempt was made to create an application client context.
4666 N/A Low An application attempted an operation:
4667 N/A Low An application client context was deleted.
4668 N/A Low An application was initialized.
4670 N/A Low Permissions on an object were changed.
4671 N/A Low An application attempted to access a blocked ordinal through the TBS.
4672 576 Low Special privileges assigned to new logon.
4673 577 Low A privileged service was called.
4674 578 Low An operation was attempted on a privileged object.
4688 592 Low A new process has been created.
4689 593 Low A process has exited.
4690 594 Low An attempt was made to duplicate a handle to an object.
4691 595 Low Indirect access to an object was requested.
4694 N/A Low Protection of auditable protected data was attempted.
4695 N/A Low Unprotection of auditable protected data was attempted.
4696 600 Low A primary token was assigned to process.
4697 601 Low Attempt to install a service
4698 602 Low A scheduled task was created.
4699 602 Low A scheduled task was deleted.
4700 602 Low A scheduled task was enabled.
4701 602 Low A scheduled task was disabled.
4702 602 Low A scheduled task was updated.
4704 608 Low A user right was assigned.
4705 609 Low A user right was removed.
4707 611 Low A trust to a domain was removed.
4709 N/A Low IPsec Services was started.
4710 N/A Low IPsec Services was disabled.
4711 N/A Low May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.
4712 N/A Low IPsec Services encountered a potentially serious failure.
4717 621 Low System security access was granted to an account.
4718 622 Low System security access was removed from an account.
4720 624 Low A user account was created.
4722 626 Low A user account was enabled.
4723 627 Low An attempt was made to change an account's password.
4725 629 Low A user account was disabled.
4726 630 Low A user account was deleted.
4728 632 Low A member was added to a security-enabled global group.
4729 633 Low A member was removed from a security-enabled global group.
4730 634 Low A security-enabled global group was deleted.
4731 635 Low A security-enabled local group was created.
4732 636 Low A member was added to a security-enabled local group.
4733 637 Low A member was removed from a security-enabled local group.
4734 638 Low A security-enabled local group was deleted.
4738 642 Low A user account was changed.
4740 644 Low A user account was locked out.
4741 645 Low A computer account was changed.
4742 646 Low A computer account was changed.
4743 647 Low A computer account was deleted.
4744 648 Low A security-disabled local group was created.
4745 649 Low A security-disabled local group was changed.
4746 650 Low A member was added to a security-disabled local group.
4747 651 Low A member was removed from a security-disabled local group.
4748 652 Low A security-disabled local group was deleted.
4749 653 Low A security-disabled global group was created.
4750 654 Low A security-disabled global group was changed.
4751 655 Low A member was added to a security-disabled global group.
4752 656 Low A member was removed from a security-disabled global group.
4753 657 Low A security-disabled global group was deleted.
4756 660 Low A member was added to a security-enabled universal group.
4757 661 Low A member was removed from a security-enabled universal group.
4758 662 Low A security-enabled universal group was deleted.
4759 663 Low A security-disabled universal group was created.
4760 664 Low A security-disabled universal group was changed.
4761 665 Low A member was added to a security-disabled universal group.
4762 666 Low A member was removed from a security-disabled universal group.
4767 671 Low A user account was unlocked.
4768 672,676 Low A Kerberos authentication ticket (TGT) was requested.
4769 673 Low A Kerberos service ticket was requested.
4770 674 Low A Kerberos service ticket was renewed.
4771 675 Low Kerberos pre-authentication failed.
4772 672 Low A Kerberos authentication ticket request failed.
4774 678 Low An account was mapped for logon.
4775 679 Low An account could not be mapped for logon.
4776 680,681 Low The domain controller attempted to validate the credentials for an account.
4777 N/A Low The domain controller failed to validate the credentials for an account.
4778 682 Low A session was reconnected to a Window Station.
4779 683 Low A session was disconnected from a Window Station.
4781 685 Low The name of an account was changed:
4782 N/A Low The password hash an account was accessed.
4783 667 Low A basic application group was created.
4784 N/A Low A basic application group was changed.
4785 689 Low A member was added to a basic application group.
4786 690 Low A member was removed from a basic application group.
4787 691 Low A nonmember was added to a basic application group.
4788 692 Low A nonmember was removed from a basic application group.
4789 693 Low A basic application group was deleted.
4790 694 Low An LDAP query group was created.
4793 N/A Low The Password Policy Checking API was called.
4800 N/A Low The workstation was locked.
4801 N/A Low The workstation was unlocked.
4802 N/A Low The screen saver was invoked.
4803 N/A Low The screen saver was dismissed.
4864 N/A Low A namespace collision was detected.
4869 773 Low Certificate Services received a resubmitted certificate request.
4871 775 Low Certificate Services received a request to publish the certificate revocation list (CRL).
4872 776 Low Certificate Services published the certificate revocation list (CRL).
4873 777 Low A certificate request extension changed.
4874 778 Low One or more certificate request attributes changed.
4875 779 Low Certificate Services received a request to shut down.
4876 780 Low Certificate Services backup started.
4877 781 Low Certificate Services backup completed.
4878 782 Low Certificate Services restore started.
4879 783 Low Certificate Services restore completed.
4880 784 Low Certificate Services started.
4881 785 Low Certificate Services stopped.
4883 787 Low Certificate Services retrieved an archived key.
4884 788 Low Certificate Services imported a certificate into its database.
4886 790 Low Certificate Services received a certificate request.
4887 791 Low Certificate Services approved a certificate request and issued a certificate.
4888 792 Low Certificate Services denied a certificate request.
4889 793 Low Certificate Services set the status of a certificate request to pending.
4891 795 Low A configuration entry changed in Certificate Services.
4893 797 Low Certificate Services archived a key.
4894 798 Low Certificate Services imported and archived a key.
4895 799 Low Certificate Services published the CA certificate to Active Directory Domain Services.
4898 802 Low Certificate Services loaded a template.
4902 N/A Low The Per-user audit policy table was created.
4904 N/A Low An attempt was made to register a security event source.
4905 N/A Low An attempt was made to unregister a security event source.
4909 N/A Low The local policy settings for the TBS were changed.
4910 N/A Low The Group Policy settings for the TBS were changed.
4928 N/A Low An Active Directory replica source naming context was established.
4929 N/A Low An Active Directory replica source naming context was removed.
4930 N/A Low An Active Directory replica source naming context was modified.
4931 N/A Low An Active Directory replica destination naming context was modified.
4932 N/A Low Synchronization of a replica of an Active Directory naming context has begun.
4933 N/A Low Synchronization of a replica of an Active Directory naming context has ended.
4934 N/A Low Attributes of an Active Directory object were replicated.
4935 N/A Low Replication failure begins.
4936 N/A Low Replication failure ends.
4937 N/A Low A lingering object was removed from a replica.
4944 N/A Low The following policy was active when the Windows Firewall started.
4945 N/A Low A rule was listed when the Windows Firewall started.
4946 N/A Low A change has been made to Windows Firewall exception list. A rule was added.
4947 N/A Low A change has been made to Windows Firewall exception list. A rule was modified.
4948 N/A Low A change has been made to Windows Firewall exception list. A rule was deleted.
4949 N/A Low Windows Firewall settings were restored to the default values.
4950 N/A Low A Windows Firewall setting has changed.
4951 N/A Low A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952 N/A Low Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953 N/A Low A rule has been ignored by Windows Firewall because it could not parse the rule.
4954 N/A Low Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956 N/A Low Windows Firewall has changed the active profile.
4957 N/A Low Windows Firewall did not apply the following rule:
4958 N/A Low Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
4979 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4980 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4981 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4982 N/A Low IPsec Main Mode and Extended Mode security associations were established.
4985 N/A Low The state of a transaction has changed.
5024 N/A Low The Windows Firewall Service has started successfully.
5025 N/A Low The Windows Firewall Service has been stopped.
5031 N/A Low The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5032 N/A Low Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033 N/A Low The Windows Firewall Driver has started successfully.
5034 N/A Low The Windows Firewall Driver has been stopped.
5039 N/A Low A registry key was virtualized.
5040 N/A Low A change has been made to IPsec settings. An Authentication Set was added.
5041 N/A Low A change has been made to IPsec settings. An Authentication Set was modified.
5042 N/A Low A change has been made to IPsec settings. An Authentication Set was deleted.
5043 N/A Low A change has been made to IPsec settings. A Connection Security Rule was added.
5044 N/A Low A change has been made to IPsec settings. A Connection Security Rule was modified.
5045 N/A Low A change has been made to IPsec settings. A Connection Security Rule was deleted.
5046 N/A Low A change has been made to IPsec settings. A Crypto Set was added.
5047 N/A Low A change has been made to IPsec settings. A Crypto Set was modified.
5048 N/A Low A change has been made to IPsec settings. A Crypto Set was deleted.
5050 N/A Low An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile.FirewallEnabled(False)
5051 N/A Low A file was virtualized.
5056 N/A Low A cryptographic self test was performed.
5057 N/A Low A cryptographic primitive operation failed.
5058 N/A Low Key file operation.
5059 N/A Low Key migration operation.
5060 N/A Low Verification operation failed.
5061 N/A Low Cryptographic operation.
5062 N/A Low A kernel-mode cryptographic self test was performed.
5063 N/A Low A cryptographic provider operation was attempted.
5064 N/A Low A cryptographic context operation was attempted.
5065 N/A Low A cryptographic context modification was attempted.
5066 N/A Low A cryptographic function operation was attempted.
5067 N/A Low A cryptographic function modification was attempted.
5068 N/A Low A cryptographic function provider operation was attempted.
5069 N/A Low A cryptographic function property operation was attempted.
5070 N/A Low A cryptographic function property modification was attempted.
5125 N/A Low A request was submitted to the OCSP Responder Service
5126 N/A Low Signing Certificate was automatically updated by the OCSP Responder Service
5127 N/A Low The OCSP Revocation Provider successfully updated the revocation information
5136 566 Low A directory service object was modified.
5137 566 Low A directory service object was created.
5138 N/A Low A directory service object was undeleted.
5139 N/A Low A directory service object was moved.
5140 N/A Low A network share object was accessed.
5141 N/A Low A directory service object was deleted.
5152 N/A Low The Windows Filtering Platform blocked a packet.
5153 N/A Low A more restrictive Windows Filtering Platform filter has blocked a packet.
5154 N/A Low The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 N/A Low The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 N/A Low The Windows Filtering Platform has allowed a connection.
5157 N/A Low The Windows Filtering Platform has blocked a connection.
5158 N/A Low The Windows Filtering Platform has permitted a bind to a local port.
5159 N/A Low The Windows Filtering Platform has blocked a bind to a local port.
5378 N/A Low The requested credentials delegation was disallowed by policy.
5440 N/A Low The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441 N/A Low The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442 N/A Low The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443 N/A Low The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444 N/A Low The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started.
5446 N/A Low A Windows Filtering Platform callout has been changed.
5447 N/A Low A Windows Filtering Platform filter has been changed.
5448 N/A Low A Windows Filtering Platform provider has been changed.
5449 N/A Low A Windows Filtering Platform provider context has been changed.
5450 N/A Low A Windows Filtering Platform sublayer has been changed.
5451 N/A Low An IPsec Quick Mode security association was established.
5452 N/A Low An IPsec Quick Mode security association ended.
5456 N/A Low PAStore Engine applied Active Directory storage IPsec policy on the computer.
5457 N/A Low PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
5458 N/A Low PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
5459 N/A Low PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
5460 N/A Low PAStore Engine applied local registry storage IPsec policy on the computer.
5461 N/A Low PAStore Engine failed to apply local registry storage IPsec policy on the computer.
5462 N/A Low PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
5463 N/A Low PAStore Engine polled for changes to the active IPsec policy and detected no changes.
5464 N/A Low PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
5465 N/A Low PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
5466 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
5467 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
5468 N/A Low PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
5471 N/A Low PAStore Engine loaded local storage IPsec policy on the computer.
5472 N/A Low PAStore Engine failed to load local storage IPsec policy on the computer.
5473 N/A Low PAStore Engine loaded directory storage IPsec policy on the computer.
5474 N/A Low PAStore Engine failed to load directory storage IPsec policy on the computer.
5477 N/A Low PAStore Engine failed to add quick mode filter.
5479 N/A Low IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5632 N/A Low A request was made to authenticate to a wireless network.
5633 N/A Low A request was made to authenticate to a wired network.
5712 N/A Low A Remote Procedure Call (RPC) was attempted.
5888 N/A Low An object in the COM+ Catalog was modified.
5889 N/A Low An object was deleted from the COM+ Catalog.
5890 N/A Low An object was added to the COM+ Catalog.
6008 N/A Low The previous system shutdown was unexpected
6144 N/A Low Security policy in the Group Policy objects has been applied successfully.
6272 N/A Low Network Policy Server granted access to a user.
N/A 561 Low A handle to an object was requested.
N/A 563 Low Object open for delete
N/A 625 Low User Account Type Changed
N/A 613 Low IPsec policy agent started
N/A 614 Low IPsec policy agent disabled
N/A 615 Low IPsec policy agent
N/A 616 Low IPsec policy agent encountered a potential serious failure
24577 N/A Low Encryption of volume started
24578 N/A Low Encryption of volume stopped
24579 N/A Low Encryption of volume completed
24580 N/A Low Decryption of volume started
24581 N/A Low Decryption of volume stopped
24582 N/A Low Decryption of volume completed
24583 N/A Low Conversion worker thread for volume started
24584 N/A Low Conversion worker thread for volume temporarily stopped
24588 N/A Low The conversion operation on volume %2 encountered a bad sector error. Please validate the data on this volume
24595 N/A Low Volume %2 contains bad clusters. These clusters will be skipped during conversion.
24621 N/A Low Initial state check: Rolling volume conversion transaction on %2.
5049 N/A Low An IPsec Security Association was deleted.
5478 N/A Low IPsec Services has started successfully.

Note

Refer to Microsoft Support article 947226 for lists of many security event IDs and their meanings.

Run wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true to get a very detailed listing of all security event IDs

For more information about Windows security event IDs and their meanings, see the Microsoft Support articles Description of security events in Windows Vista and in Windows Server 2008 and Description of security events in Windows 7 and in Windows Server 2008 R2. You can also download Security Audit Events for Windows 7 and Windows Server 2008 R2 and Windows 8 and Windows Server 2012 Security Event Details, which provide detailed event information for the referenced operating systems in spreadsheet format.

Incydent Response Playbook

10 December 2017

Incident source

  • Any attacks affecting critical assets
  • Denial-of-Service attacks that isolate or impede critical service or network performance
  • Malicious logic (virus) attacks that isolate enclaves
  • Administrator/root-level access obtained by unauthorized personnel

 

  • Significant trends suspected in incidents or events
  • Indication of multiple suspected systems
  • Suspected e-mail spoofing
  • Unauthorized probes or scans of the network

 

  • Unusual system performance or behavior
  • Unplanned system crashes, outages, or configurationchanges
  • Suspicious files identified on a server Missing data, files, or programs
  • Unexplained access privilege changes Poor security practices
  • Unusual after-hours system activity Simultaneous logins by the same user from differentIP addresses
  • Unauthorized activity by privileged users

 

  • System compromise internal
  • System compromise cloud
  • Theft of confidential information
  • Theft or loss of mobile device/media
  • Malware
  • Phishing

 

Incydent Responder playbook with flow

  • https://www.incidentresponse.com/playbooks/malware-outbreak
  • https://www.incidentresponse.com/playbooks/phishing
  • https://www.incidentresponse.com/playbooks/data-theft
  • https://www.incidentresponse.com/playbooks/virus-outbreak
  • https://www.incidentresponse.com/playbooks/ddos
  • https://www.incidentresponse.com/playbooks/unauthorized-access
  • https://www.incidentresponse.com/playbooks/elevation-of-privilege
  • https://www.incidentresponse.com/playbooks/root-access
  • https://www.incidentresponse.com/playbooks/improper-computer-usage

Handbook

  • http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  • https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
  • https://resources.sei.cmu.edu/asset_files/Handbook/2003_002_001_14102.pdf
  • https://www.nasa.gov/pdf/589502main_ITS-HBK-2810.09-02%20%5BNASA%20Information%20Security%20Incident%20Management%5D.pdf
  • https://www.cybersecuritycoalition.be/content/uploads/cybersecurity-incident-management-guide-EN.pdf

Other resources

  • https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement-Guide.pdf
  • https://www.it-cube.net/wp-content/uploads/2017/09/Exabeam_Incident_Response_for_Top_3_Security_Scenarios.pdf
  •  

Log Analysis Tools - varius

Forensic | 28 November 2017

Log Analysis Tool Kit (LATK)

  • https://www.cert.org/digital-intelligence/tools/latke.cfm?
  • https://forensics.cert.org/latk/

Piwik Server Log Analytics

  • https://github.com/piwik/piwik-log-analytics
  • http://energynumbers.info/piwik/misc/log-analytics/import_logs.py

apache-scalp

  • https://code.google.com/archive/p/apache-scalp/

PHPIDA

AWStats

  • http://awstats.sourceforge.net/

FruityWifi on Raspberry-Pi

13 December 2016

FruityWifi is an open source tool to audit wireless networks. It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it.

 

http://www.fruitywifi.com/index_eng.html

 

Train the Team

12 December 2016
https://www.counterhackchallenges.com/

Extra space with extroot for LEDE

27 November 2016
necessary package
opkg update
opkg install block-mount
mount device
mkdir /mnt/sda1
mount /dev/sda2 /mnt/sda1
copy root directory content
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda1 -xf -
umount /tmp/cproot
configure /etc/config/fstab
block detect  > /etc/config/fstab

vi /etc/config/fstab
config global
        option anon_swap '0'
        option anon_mount '1'
        option auto_swap '1'
        option auto_mount '1'
        option delay_root '5'
        option check_fs '0'
        option from_fstab '1'

config mount
        option uuid 'some-uuid'
        option enabled '1'
        option target '/'
        option 'options' 'rw,sync'
        option fstype 'ext4'
        option enabled_fsck '0'

Reboot and Check
mount

Zeltser Security Cheat Sheets

11 November 2016

src: https://zeltser.com/cheat-sheets/

REMnux Usage Tips for Malware Analysis on Linux

Key tools and commands for analyzing malicious software on the REMnux Linux distribution:

Tips for Creating an Information Security Assessment Report

This cheat sheet presents recommendations for creating a strong report as part of an information security assessment project.

Critical Log Review Checklist for Security Incidents

Checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review, co-authored with Anton Chuvakin:

Analyzing Malicious Documents Cheat Sheet

Tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files:

Security Architecture Cheat Sheet for Internet Applications

Tips for the initial design and review of a complex Internet application’s security architecture:

Troubleshooting Human Communications

Communication tips for technologists, engineers, and information workers:

Security Incident Survey Cheat Sheet for Server Administrators

Tips for examining a potentially-compromised server to decide whether to escalate for formal incident response:

Initial Security Incident Questionnaire for Responders

The questions the incident handler should consider asking when taking control of a qualified incident:

Network DDoS Incident Response Cheat Sheet

Advice for battling a network DDoS attack on your infrastructure:

Reverse-Engineering Malware Cheat Sheet

Shortcuts and tips for analyzing malicious software:

Information Security Assessment RFP Cheat Sheet

Tips for planning, issuing and reviewing RFPs for information security assessments:

How to Suck at Information Security

Common information security mistakes, so you can avoid making them:

Report Template for Threat Intelligence and Incident Response

A report template and framework for for capturing key details related to a large-scale intrusion and documenting them in a comprehensive, well-structured manner.

 

Analiza Windows Active Directory

11 November 2016
https://gallery.technet.microsoft.com/Active-Directory-Audit-7754a877#!

SANS Checklists & Step-by-Step Guides

8 November 2016

A Scalable, Open Source and Free Incident Response Platform

7 November 2016

 

 

  • Collaborate: Multiple SOC and CERT analysts can simultaneously collaborate on investigations. Thanks to the built-in flow, real time information pertaining to new and existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, preview new MISP events and investigate them right away.
  • Elaborate: Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks. Each task can have multiple work logs to record the ongoing work, attach pieces of evidence or noteworthy files.
  • Analyze: Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event. Quickly triage and filter them. Harness the provided analyzers or create your own to gain precious insight and speed up your investigation. Leverage tags, flag IOCs, and identify previously seen observables to feed your threat intelligence.

https://github.com/CERT-BDF/TheHive

CIS o windows 7

2 November 2016

Security Configuration Benchmark For

Version 1.1.0
July 30th 2010
Microsoft Windows 7

https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_7_Benchmark_v1.1.0.pdf

.Net Obfuscation

10 August 2016

http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

not ethical: ! https://www.youtube.com/watch?v=Gq6hLf3uq3k

sample of security by obscurity!

Hacking Sites, CTFs and Wargames

8 August 2016

InfoSec skills are in such high demand right now. As the world continues to turn everything into an app and connect even the most basic devices to the internet, the demand is only going to grow, so it’s no surprise everyone wants to learn hacking these days.

 

However, almost every day I come across a forum post where someone is asking where they should begin to learn hacking or how to practice hacking. I’ve compiled this list of some of the best hacking sites to hopefully be a valuable resource for those wondering how they can build and practice their hacking skill set. I hope you find this list helpful, and if you know of any other quality hacking sites, please let me know in the comments, so I can add them to the list.

1. CTF365

On CTF365 users build and defend their own servers while launching attacks on other users’ servers. The CTF365 training environment is designed for security professionals who are interested in training their offensive skills or sysadmins interested in improving their defensive skills. If you are a beginner to infosec, you can sign up for a free beginner account and get your feet wet with some pre-configured vulnerable servers.

2. OverTheWire

OverTheWire is designed for people of all experience levels to learn and practice security concepts. Absolute beginners are going to want to start on the Bandit challenges because they are the building blocks you’ll use to complete the other challenges.

3. Hacking-Lab

Hacking-Lab provides the CTF challenges for the European Cyber Security Challenge, but they also host ongoing challenges on their platform that anyone can participate in. Just register a free account, setup vpn and start exploring the challenges they offer.

4. pwnable.kr

pwnable.kr focuses on ‘pwn’ challenges, similar to CTF, which require you find, read and submit ‘flag’ files corresponding to each challenge. You must use some sort of programming, reverse-engineering or exploitation skill to access the content of the files before you are able to submit the solution.

They divide up the challenge into 4 skill levels: Toddler’s Bottle, Rookiss, Grotesque and Hacker’s Secret. Toddler’s Bottle are very easy challenges for beginners, Rookiss is rookie level exploitation challenges, Grotesque challenges become much more difficult and painful to solve and, finally, Hacker’s Secret challenges require special techniques to solve.

5. IO

IO is a wargame from the createors of netgarage.org, a community project where like-minded people share knowledge about security, AI, VR and more. They’ve created 3 versions, IO, IO64 and IOarm, with IO being the most mature. Connect to IO via SSH and you can begin hacking on their challenges.

6. SmashTheStack

SmashTheStack is comprised of 7 different wargames – Amateria, Apfel (currently offline), Blackbox, Blowfish, CTF (currently offline), Logic and Tux. Every wargame has a variety of challenges ranging from standard vulnerabilities to reverse engineering challenges.

7. Microcorruption

Microcorruption is an embedded security CTF where you have to reverse engineer fictional Lockitall electronic lock devices. The Lockitall devices secure the bearer bounds housed in warehouses owned by the also fictional Cy Yombinator company. Along the way you’ll learn some assembly, how to use a debugger, how to single step the lock code, set breakpoints, and examine memory all in an attempt to steal the bearer bonds from the warehouses.

8. reversing.kr

reversing.kr has 26 challenges to test your cracking and reverse engineering abilities. The site hasn’t been updated since the end of 2012, but the challenges available are still valuable learning resources.

9. Hack This Site

Hack This Site is a free wargames site to test and expand your hacking skills. It features numerous hacking missions across multiple categories including Basic, Realistic, Application, Programming, Phonephreaking, JavaScript, Forensic, Extbasic, Stego and IRC missions. It also boasts a large community with a large catalog of hacking articles and a forum for to have discussions on security related topics. Finally, they’ve recently announced they are going to be overhauling the dated site and codebase, so expect some big improvements in the coming months.

10. W3Challs

W3Challs is a pentesting training platform with numerous challenges across different categories including Hacking, Cracking, Wargames, Forensic, Cryptography, Steganography and Programming. The aim of the platform is to provide realistic challenges, not simulations and points are awarded based on the difficulty of the challenge (easy, medium, hard). There’s a forum where you can discuss and walkthrough the challenges with other members.

11. pwn0

pwn0 is the VPN where (almost) anything goes. Go up against pwn0bots or other users and score points by gaining root on other systems.

12. Exploit Exercises

Exploit Exercises provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues.

13. RingZer0 Team Online CTF

RingZer0 Team Online CTF offers a ton of challenges, 234 as of this post, that will test your hacking skills across multiple categories including Cryptography, Jail Escaping, Malware Analysis, SQL Injection, Shellcoding and more. After you successfully complete a challenge, you can write up your solution and submit it to the RingZer0 Team. If your write up is accepted, you’ll earn RingZer0Gold which can be exchanged for hints during future challenges.

14. Hellbound Hackers

Hellbound Hackers offers traditional exploit challenges, but they also offer some challenges that others don’t such as web and app patching and timed challenges. The web and app patching challenges have you evaluating a small snippet of code, identifying the exploitable line of code and suggesting a the code to patch it. The timed challenges have the extra constraint of solving the challenge in a set amount of time. I thought these two categories were a cool differentiator from most other CTF sites.

15. Try2Hack

Try2Hack provides several security oriented challenges for your entertainment and is one of the oldest challenge sites still around. The challenges are diverse and get progressively harder.

16. Hack.me

Hack.me is a large collection of vulnerable web apps for practicing your offensive hacking skills. All vulnerable web apps are contributed by the community and each one can be run on the fly in a safe, isolated sandbox.

17. HackThis!!

HackThis!! is comprised of 50+ hacking levels with each worth a set number of points depending on its difficulty level. Similar to Hack This Site, HackThis!! also features a lively community, numerous hacking related articles and news, and a forum where you can discuss the levels and a security related topics that might be of interest to you.

18. Enigma Group

Enigma Group has over 300 challenges with a focus on the OWASP Top 10 exploits. They boast nearly 48,000 active members and host weekly CTF challenges as well as weekly and monthly contests.

19. Google Gruyere

Google Gruyere shows how web application vulnerabilities can be exploited and how to defend against these attacks. You’ll get a chance to do some real penetration testing and actually exploit a real application with attacks like XSS and XSRF.

20. Game of Hacks

Game of Hacks presents you with a series of code snippets, multiple choice quiz style, and you must identify the correct vulnerability in the code. While it’s not nearly as in depth as the others on this list, it’s a nice game for identifying vulnerabilities within source code.

21. Root Me

Root Me hosts over 200 hacking challenges and 50 virtual environments allowing you to practice your hacking skills across a variety of scenarios. It’s definitely one of the best sites on this list.

22. CTFtime

While CTFtime is not a hacking site like the others on this list, it is great resource to stay up to date on CTF events happening around the globe. So if you’re interested in joining a CTF team or participating in an event, then this is the resource for you.

 

 

source: https://hackerlists.com/hacking-sites/

Android Reverse Engineering Tools

8 August 2016

A curated list of awesome Android reverse engineering tools.

Be sure to check out our list of IDA Pro alternatives and best deobfuscation tools, too.

1. Smali/Baksmali

smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)

2. AndBug

AndBug is a debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android’s Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.

Unlike Google’s own Android Software Development Kit debugging tools, AndBug does not require or expect source code. It does, however, require that you have some level of comfort with Python, as it uses a concept of scripted breakpoints, called “hooks”, for most nontrivial tasks.

3. Androguard

Androguard is a full python tool to play with Android files.

  • DEX, ODEX
  • APK
  • Android’s binary xml
  • Android resources
  • Disassemble DEX/ODEX bytecodes
  • Decompiler for DEX/ODEX files

4. Apktool

A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with an app easier because of project-like file structure and automation of some repetitive tasks like building apk, etc.

Features:

  • Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)
  • Rebuilding decoded resources back to binary APK/JAR
  • Organizing and handling APKs that depend on framework resources
  • Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali)
  • Helping with repetitive tasks

5. Android Framework for Exploitation

Android Framework for Exploitation is a framework for exploiting android based devices and applications.

6. Bypass signature and permission checks for IPCs

This tool leverages Cydia Substrate to bypass signature and permission checks for IPCs.

7. Android OpenDebug

This tool leverages Cydia Substrate to make all applications running on the device debuggable; once installed any application will let a debugger attach to them.

8. Dare

Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications.

9. Dex2Jar

Tools to work with android .dex and java .class files.

10. Enjarify

Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.

11. Dedexer

Dedexer is a disassembler tool for DEX files. DEX is a format introduced by the creators of the Android platform. The format and the associated opcode set is in distant relationship with the Java class file format and Java bytecodes. Dedexer is able to read the DEX format and turn into an “assembly-like format”. This format was largely influenced by the Jasmin syntax but contains Dalvik opcodes. For this reason, Jasmin is not able to compile the generated files.

12. Fino

An Android Dynamic Analysis Tool.

13. Indroid

The aim of the project is to demonstrate that a simple debugging functionality on *nix systems a.k.a ptrace() can be abused by malware to inject malicious code in remote processes. Indroid provides CreateRemoteThread() equivalent for ARM based *nix devices.

If you want to get a more deeper insight into the working of the framework you may:

14. IntentSniffer

Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents. It does not see explicit broadcast Intents, but defaults to (mostly) unprivileged broadcasts. There is an option to see recent tasks Intents (GET_TASKS), as Activity’s intents are visible when started. The tool can also dynamically update Actions & Categories.

15. Introspy

Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.

16. JAD

Jad is a Java decompiler.

17. JD-GUI

JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

18. CFR

CFR will decompile modern Java features – Java 8 lambdas (pre and post Java beta 103 changes), Java 7 String switches etc, but is written entirely in Java 6.

19. Krakatau

Krakatau currently contains three tools – a decompiler and disassembler for Java classfiles and an assembler to create classfiles.

20. Procyon

While still incomplete, tests seem to indicate that the Procyon decompiler can generally hold its own against the other leading Java decompilers out there.

21. FernFlower

Fernflower is the first actually working analytical decompiler for Java.

22. Redexer

Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android).

23. Simplify Android deobfuscator

Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used.

24. Bytecode viewer

Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.

It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch.

There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of.

You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.

25. Radare2

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.

Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for reversing apks, analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc…

 

source: https://hackerlists.com/android-reverse-engineering-tools/

Manual of style in english

21 March 2016

The Gregg Reference Manual: A Manual of Style, Grammar, Usage, and Formatting Tribute Edition

Guidelines for Writing English Language Technical Documentation for an International Audience Prepared by the INTECOM International Language Project Group

Microsoft Manual of Style 4th edition 

Metasploit Joseph McCray

20 March 2016

Microsoft Improving Web Application Security Threats and Countermeasures

13 March 2016

GIAC - GREM

6 March 2016

EU-US Privacy Shield

15 February 2016

Protection of system security

3 November 2015

DaVinci - hacking team data

8 July 2015

źródło;

HACKING TEAM CLIENT RENEWAL DATES
From: Client List_Renewal date.xlsx

Name    Country    Name    Maintenance    Status
AFP    Australia    Australian Federal Police     -    Expired
AZNS    Azerbaijan    Ministry of National Defence    6/30/2015    Active
BHR    Bahrain    Bahrain     5/5/2015    Not Active
PHANTOM    Chile    Policia de Investigation    12/10/2018    Delivery scheduled (end of november)
MDNP    Colombia    Policia Nacional Intelligencia    10/30/2016    Active
SENAIN    Ecuador    Seg. National de intelligencia    10/30/2016    Active
GNSE    Egypt    Min. Of Difence    12/31/2014    Active
INSA    Ethiopia    Information Network Security Agency    10/31/2015    Active
HON    Honduras    Hera Project - NICE    4/30/2015    Active
INTECH-CONDOR    K Iraqi    Kurdistan Iracheno    6/30/2015    Active
KNB    Kazakistan    National Security Office    12/31/2014    Active
MACC    Malaysia    Malaysia AntiCorruption Commission    1/31/2014    Expired
MIMY    Malaysia    Malaysia Intelligene     12/31/2014    Active
PMO    Malaysia    Prime Minister Office    3/31/2015    Active
CUSAEM    Mexico    Police    -    Expired
DUSTIN    Mexico    Durango State Government    11/30/2015    Active
EDQ    Mexico    Queretaro State Government    3/31/2014    Expired
GEDP    Mexico    Puebla State Government    7/31/2014    Expired
MCDF    Mexico    Mexico Police    -    Expired
MXNV    Mexico    Mexico Navy    -    Expired
PEMEX    Mexico    Army Mexico    3/31/2015    Not Active
PF    Mexico    Policia Federal    -    Expired
PGJEM    Mexico    Procuradoria General De Justicia    12/31/2014    Active
SDUC    Mexico    Campeche State Governement    6/30/2014    Expired
SEGOB    Mexico    Seg. National de Gobernacion (CISEN)    12/31/2014    Active
SEPYF    Mexico    State Government Baja California    9/21/2015    Active
SSPT    Mexico    TaumalipasState Government    7/20/2015    Active
YUKI    Mexico    Yucatan State Government    11/30/2015    Active
MOACA    Mongolia    Ind. Authoirty Anti Corruption    6/3/2015    Active
ALFAHAD-PROD    Morocco    Minister of Interior    12/31/2014    Active
CSDN-01    Morocco    Intelligence Agency    12/31/2014    Active
BSGO    Nigeria    Bayelsa Government    11/30/2013    Expired
ORF    Oman    Excellence Tech group Oman    12/31/2014    Active
PANP    Panama    President Security Office     5/31/2014    Expired
KVANT    Russia    Intelligence Kvant Research     11/30/2014    Not officially supported
GIP    Saudi Arabia    General Intelligence Presidency    12/31/2015    Active
MOD    Saudi Arabia    Minister of Difence     7/15/2015    Active
TCC-GID    Saudi Arabia    Genaral Intelligence Direcotrate    6/1/2015    Active
IDA-PROD    Singapore    Infocomm Development Agency    2/28/2015    Active
SKA    South Korea    The Army South Korea    12/31/2014    Active
NISS-01    Sudan    National Intelligence Security Service    12/31/2014    Not officially supported
THDOC    Thailand    Thai Police - Dep. Of Correctoin    7/31/2014    Expired
ATI    Tunisia    Tunisia (demo)    7/3/2011    Expired
TNP    Turkey    Turkish Police    11/10/2014    Active
MOI    UAE    Minister of Interior    12/31/2014    Active
UAEAF    UAE    UAE Air Force    5/31/2015    Active
DOD    USA    Dep.of Defence        Not Active
KATIE    USA    Drug Enforcement Agency    12/31/2014    Active
PHOEBE-PROD    USA    FBI - USA    6/30/2015    Active
NSS    Uzbekistan    National Security Service    1/31/2015    Active
                
                
                
EU Clients                
EU     Cyprus    Cyprus Intelligence Service    1/29/2015    Active
EU     Czech Republic    UZC Cezch Police     12/31/2014    Active
EU     Hungary    Special Service National Security    12/31/2014    Active
EU     Hungary    Intelligence Inforamtion Office    12/31/2014    Active
EU     Luxembourg    Luxemburg Tax authority    5/31/2015    Active
EU     Poland    Central Anticorruption Bureau    7/31/2015    Active
EU     Spain    Policia Nacional    1/31/2016    Expired
EU     Spain    Centro Nacional de Intelligencia    1/31/2016    Active
                
                
            Tot Active    38
            Tot Expired    14
            Not Active    3
            Other

mandiant free forensic tools

24 June 2015
Source: https://www.mandiant.com/resources/downloads
  • Redline ®

    Redline® is a free utility that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis.More

  • IOC Editor

    Mandiant's IOC Editor is a free editor for Indicators of Compromise (IOCs).More

  • IOC Finder

    Mandiant's IOC Finder is a free tool for collecting host system data and reporting the presence of Indicators of Compromise (IOCs).More

  • Memoryze™

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Memoryze™ for the Mac

    Free memory forensics software designed to help incident responders find evil within live memory. More

  • Highlighter™

    Highlighter is designed to help security analysts and system administrators rapidly review log and other structured text files. More

  • Web Historian™

    Web Historian’s capabilities have been consolidated into Mandiant Redline.More

  • Research: PdbXtract™

    PdbXtract is a tool to help you explore symbolic type information as extracted from Microsoft programming database files.More

  • Research: Mandiant ApateDNS™

    Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use graphical user interface (GUI).More

  • Research: Mandiant Heap Inspector™

    Mandiant Heap Inspector is a heap visualization and analysis tool. It has the ability to collect a process' heaps using both API and raw methods.More

Dyrektywa PE 2013/40/UE -> dotycząca ataków na systemy informatyczne

21 June 2015

Celami dyrektywy są: zbliżenie prawa karnego państw członkowskich w dziedzinie ataków na systemy informatyczne, przez ustanowienie zasad minimalnych dotyczących definicji przestępstw i odpowiednich kar, oraz poprawa współpracy między właściwymi organami, w tym policją i innymi wyspecjalizowanymi organami ścigania w państwach członkowskich, a także właściwymi wyspecjalizowanymi agencjami i organami Unii takimi jak Eurojust, Europol i należące do niego Europejskie Centrum ds. Walki z Cyberprzestępczością oraz Europejska Agencja ds. Bezpieczeństwa Sieci i Informacji (ENISA).

Zastępuje 2005/222/WSiSW

English: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:218:0008:0014:EN:PDF

Polski: http://bip.ms.gov.pl/Data/Files/_public/bip/prawo_eu/ue2/dyrektywa-2013_40_ue-o-cyberprzestepczosci.pdf

ISO27000 - Information technology — Security techniques — Information security management systems — Overview and vocabulary

21 June 2015

Publicznie dostępna norma ISO  (mirror z)

http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

ISO_IEC_27000_2014.pdf

ISO_IEC_27036_2014.pdf

 

ENISA = udostępnione szkolenia

21 June 2015

mapowanie standardów dla incident response

21 June 2015

 

 

MACCSA - Multinational Alliance for Collaborative Cyber Situational Awareness

 

 

 

uptodate software checker

Analiza i porównanie | 29 April 2015

Oprogramowanie bezpłatne (dla użytkowników domowych +)

Oprogramowanie płatne (w tym dla użytkowników domowych)

UNITE a środowisko malware

Unified Network of Instructors and Trusted Eliminators | 27 April 2015