Whitepaper “Windows Malicious Events Detection with Security Monitoring”
The Microsoft Windows operating system generates a large quantity of events that are described in the technical documentation published by Microsoft in its knowledge base, TechNet.
Windows logs both events occurring within the operating system and in applications and services installed on the computer. Depending on the auditing level that we enable in the computer, we will be able to see the activity of all such events in the event viewer.
Exploring each of the event logs in multiple computers is an arduous task that requires a lot of time and resources. Automatic tools can be used to identify and correlate events, allowing us to identify patterns that correspond with malicious behaviours and, accordingly, to generate automatic alerts when they occur.
Security Monitoring has this potential and in the present document we will describe a few small proof of concept tests that were performed on the computer of the Chief Data Officer of Telefónica, using this tool to identify such patterns.