Cyber Monitoring

From Glitchdata
Jump to navigation Jump to search

Things to monitor for Cyber purposes:

Host-base Artefacts

  • All event logs describing the actions of an executable or file must include a hash of the item (High Priority)
  • Identity Data relating to the Permissions and Usernames of all accounts (High Priority)
  • USB device connectivity ( High Priority)
  • Browser History (High Priority)
  • Webserver Logs (host-based) (High Priority)
  • Event Logs (High Priority)
  • Anti-virus Detections (High Priority)- includes the actions taken on virus detection
  • Listening Ports and associated services (Medium Priority)

Network-based Artefacts

  • DNS Activity (High Priority)
  • Remote Desktop Protocol (RDP) logs (High Priority)
  • Virtual Private Network (VPN sessions (High Priority)
  • SSH terminal connections, and other remote abilities to evaluate for inbound connections, unapproved 3rd party tools, clear text information, and unauthorized lateral movement (High Priority)
  • Proxy logs (High Priority)
  • Firewall / IDS/ IPS logs (High Priority)
  • IDS/IPS trigger packets (Medium Priority)
  • Netflow (High Priority)
  • Email logs (High Priority)
  • Email attachments (Medium Priority)
  • Email headers (Medium Priority)
  • Logs of traffic being transferred via server message blocks (SMB) (High Priority)

Incident Response Artefacts

  • Running Processes

Running services Parent-child process trees

  • Installed applications
  • Authentications

Usernames

  • Domain Name System (DNS) resolutions settings, and static routes (Priority Low to High)
  • LNK files
  • ShellBags
  • SRUM database
  • Established and closed network connections (High Priority)
  • Scheduled Tasks
  • Artefacts of Execution
  • Anti-Virus detected file
  • Network Share Access
  • Virtual Machine snapshots
  • Memory snapshots
  • Active Directory logs
  • DHCP logs
  • Hypervisor Logs
  • Registry hives, including ntuser.dat and usrclass.dat for each user.