I think I saw this passed around on Twitter first: Detecting Lateral Movement through Tracking Event Logs [PDF] from the Japan CERT. The blog link actually goes into more detail about the purpose, which is to assist incident responders. But this can be equally useful to incident detection to highlight some log entries to look for that may indicate potential malicious actors. This is also useful for pen testers who are tasked (directly or indirectly) with testing or evading blue teams. Even in a lab, a pen tester can initiate some of these attacks or actions and validate what they see or what artifacts they leave behind on systems. Near the end, there are even supporting steps to make sure proper logging settings are in place to see these events. (Gee, tracking Executing Processes pretty much covers most of it, eh?)
And like many settings in security, the paper at least makes mention that there are considerations to make before making audit log changes. For instance, tracking executing processes (or written files) will generate a large number of entries in the logs, causing them to fill up and roll over or flood your log collectors or SIEMs and maybe challenge your backup capacity. As always, keep in mind the big picture when making settings/architecture decisions.
Very cool list. It’s things like this that I have a hard time figuring out how to save and consume. Do I add a menu link in “resources” to the paper, keep my own list of this somewhere, or just hope to remember I have it here?