My DFIR happy place is a Windows event log with 4688 events. Third-party IR consulting teaches you to have modest expectations at best.

Mar 28, 2022 · 2:24 AM UTC

6
9
59
Replying to @hal_pomeranz
@hal_pomeranz How often do you see the Event ID configured in enterprise environments? 4688 is great to have on servers with relatively few processes spawned. Also, in your experience, how verbose are the logs?
1
Rarely-- but that's partially because of my role as a third-party. Sites that are mature enough to have enabled this event also likely have in-house IR capability, so I'll almost never visit them.
1
Replying to @hal_pomeranz
sysmon event id 1 vs 4688 - which one is better ?
3
1
Hahaha Sysmon. I never get that. I rarely get the 4688s.
1
Replying to @hal_pomeranz
4688? I’ll have to Bing that :)
Replying to @hal_pomeranz
Preach! 4688's are very towel like, useful in their own right and provide hope that more help might be forthcoming from friednly people nearby. h/t Douglas Adams
Replying to @hal_pomeranz
With the registry modification to give the full command line 🥲
1
4
Replying to @hal_pomeranz
"but we did not enable commandline logging because they may contain passwords" 😆
1