๐ ๐๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐น๐ฑ โ Real-World Findings from Security Assessments
๐ฅย ๐ฒ๐ญ.๐ต%ย of infrastructures Iโve assessedย ๐ฑ๐ผ ๐ป๐ผ๐ ๐ฐ๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฒ ๐ฝ๐ฟ๐ผ๐ฝ๐ฒ๐ฟ ๐น๐ผ๐ด๐ด๐ถ๐ป๐ดย in their Windows environments.
That includes Windows Desktops, Servers, and even Domain Controllers left withย ๐ฑ๐ฒ๐ณ๐ฎ๐๐น๐ ๐ฎ๐๐ฑ๐ถ๐๐ถ๐ป๐ด ๐๐ฒ๐๐๐ถ๐ป๐ด๐.
๐ง๐ต๐ฒ ๐ฝ๐ฟ๐ผ๐ฏ๐น๐ฒ๐บ?
By default, Windows logs very little. Without configuring Advanced Auditing, youโre missing critical visibility โ and no SIEM can compensate for logs that donโt exist.
And while “just turn on auditing” sounds simple, it’s a trap. Log too little, and you miss attacks. Log everything, and you drown in noise.
๐ย ๐๐ผ๐ ๐๐ผ ๐๐๐ฎ๐ฟ๐?
Instead of blindly enabling everything, start from your business context:
๐ธWhat industry are you in?
๐ธWhere are you based?
With this, you can ๐บ๐ฎ๐ฝ ๐น๐ถ๐ธ๐ฒ๐น๐ ๐๐ต๐ฟ๐ฒ๐ฎ๐๐ ๐๐๐ถ๐ป๐ด ๐๐ต๐ฒ ๐ ๐๐ง๐ฅ๐ ๐๐ง๐ง&๐๐ย framework โ identifying whichย APTย groups target your region/sector and whatย tactics, techniques, and proceduresย they use. Itโs not perfect, but itโs a smart starting point.
๐งฐ ๐ก๐ฒ๐ฒ๐ฑ ๐ต๐ฒ๐น๐ฝ?
I have created several free resources to get you started. You can find following relevant resources in my Horizon Secured Academy:
๐ธ๐๐ฑ๐๐ฎ๐ป๐ฐ๐ฒ๐ฑ ๐๐๐ฑ๐ถ๐๐ถ๐ป๐ด ๐ง๐ฎ๐ฏ๐น๐ฒ
๐ธ๐ฆ๐๐๐บ๐ผ๐ป ๐๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฎ๐๐ถ๐ผ๐ป ๐๐๐ถ๐ฑ๐ฒ
๐ธ๐ง๐ต๐ฟ๐ฒ๐ฎ๐๐๐ผ๐ด ๐ง๐ผ๐ผ๐น โ Just input your industry and country, and it builds a tailored baseline (including Sysmon) to get you started with meaningful logs.
https://academy.horizon-secured.com/p/threatlog
