logo
January 20, 2023 | Joe Dibley

Four Challenges with Monitoring Active Directory Security

With attackers constantly developing new tactics to compromise credentials and data, it is increasingly important to monitor critical systems such as Active Directory (AD) for signs of malicious activity. Many organizations turn to security information and event management (SIEM) products for...
December 20, 2022 | Dirk Schrader

Event Log Monitoring and Log Audit Software Basics

Event logs can help you spot and troubleshoot security events so you can protect your systems and data. However, log records can be hard to read, and logs so noisy that you often have to sift through pages of events to identify critical events and potential threats.  Read on to learn...
November 30, 2021 | Jeff Warren

Performing Pass-the-Hash Attacks with Mimikatz

Mimikatz has become the standard tool for extracting passwords and hashes from memory, performing pass-the-hash attacks, and creating domain persistence through Golden Tickets.  Let’s take a look at how easy Mimikatz makes it to perform pass-the-hash and other authentication-based...
November 30, 2021 | Jeff Warren

How to Detect Pass-the-Hash Attacks

Attackers frequently rely on lateral movement techniques to infiltrate corporate networks and obtain privileged access to credentials and data. In particular, one common technique is pass-the-hash: Hackers use stolen password hashes to authenticate as a user without ever having the user's...
April 28, 2021 | Jeff Melnick

SIEM vs Log Management

It now takes organizations 207 days to identify and 73 days to contain security breaches, according to IBM's 2020 Cost of a Data Breach Report. That means the average "lifecycle" of an incident is a staggering 280 days — 7 months! Moreover, cybercrimes are becoming increasingly sophisticated...
January 15, 2016 | Adam Bertram

How to Get User Logon Session Times from the Event Log

If you’re a knowledge worker, to be productive in a work environment, you’re probably going to need a user account. And you’re probably going to need to actually use this user account to login to your office and mobile devices. If you don’t, you’re probably not going to be working at that...
November 6, 2015 | Adam Bertram

Windows Event Log Forwarding in Windows Server 2008

I love Active Directory auditing. I love it because with just a couple clicks of the mouse I can easily create a policy that immediately gets applied to 500 servers that begins recording useful information on about everything that goes on involving those servers. What I hate about AD auditing is...
September 22, 2015 | Adam Bertram

Tracking Malicious Windows Server Events with PowerShell

Windows servers can potentially generate thousands—or even hundreds of thousands—of events daily. Most are created from perfectly safe events that system administrators use to get a glimpse of what’s going on. An event might be generated to indicate a disk is running out of free space, an...
July 16, 2015 | Adam Bertram

Easy Event Log Querying with PowerShell

If you’re using any kind of native Active Directory (AD) auditing today you probably love the information it generates in the security event log. Native AD auditing is awesome about generating loads of useful information as to what happened and when. The problem arises when you actually want to...
April 29, 2015 | Russell Smith

Advanced Event Log Filtering Using PowerShell

In a previous blog post, Monitoring Event Logs with PowerShell, I showed you how to use Get-WinEvent to perform basic event log monitoring using PowerShell. In this article, I want to demonstrate how Get-WinEvent can be used to run more complex queries using the –FilterHashtable...
Show more articles
...