Windows Logging & Sysmon

Windows Logging Recommendations

In order to properly detect malicious activity on Windows machines, you will need to improve the default log settings. We have created a seperate project to document what log settings need to be enabled as well as scripts to automatically enable the proper settings at https://github.com/Yamato-Security/EnableWindowsLogSettings.

We also recommend the following sites for guidance:

• JSCU-NL (Joint Sigint Cyber Unit Netherlands) Logging Essentials
• ACSC (Australian Cyber Security Centre) Logging and Fowarding Guide
• Malware Archaeology Cheat Sheets

Sysmon Related Projects

To create the most forensic evidence and detect with the highest accuracy, you need to install sysmon. We recommend the following sites and config files:

• TrustedSec Sysmon Community Guide
• Sysmon Modular
• SwiftOnSecurity Sysmon Config
• SwiftOnSecurity Sysmon Config fork by Neo23x0
• SwiftOnSecurity Sysmon Config fork by ion-storm