Hal Pomeranz · Mar 28, 2022 · 2:24 AM UTC

Hal Pomeranz · Mar 28, 2022 · 2:24 AM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

28 Mar 2022

My DFIR happy place is a Windows event log with 4688 events. Third-party IR consulting teaches you to have modest expectations at best.

Mar 28, 2022 · 2:24 AM UTC

AGorecki · Mar 28, 2022 · 2:57 PM UTC

AGorecki @ThisIsAGorecki

28 Mar 2022

Replying to @hal_pomeranz

@hal_pomeranz How often do you see the Event ID configured in enterprise environments? 4688 is great to have on servers with relatively few processes spawned. Also, in your experience, how verbose are the logs?

Hal Pomeranz · Mar 29, 2022 · 1:32 PM UTC

Hal Pomeranz @hal_pomeranz

29 Mar 2022

Rarely-- but that's partially because of my role as a third-party. Sites that are mature enough to have enabled this event also likely have in-house IR capability, so I'll almost never visit them.

more replies

Charlie Sidjan · Mar 28, 2022 · 4:37 PM UTC

Charlie Sidjan @charliesidjan

28 Mar 2022

Replying to @hal_pomeranz

sysmon event id 1 vs 4688 - which one is better ?

Hal Pomeranz · Mar 28, 2022 · 4:40 PM UTC

Hal Pomeranz @hal_pomeranz

28 Mar 2022

Hahaha Sysmon. I never get that. I rarely get the 4688s.

Ted Demopoulos · Mar 28, 2022 · 4:37 AM UTC

Ted Demopoulos @teddemop

28 Mar 2022

Replying to @hal_pomeranz

4688? I’ll have to Bing that :)

DFIR Notes · Mar 28, 2022 · 2:18 PM UTC

DFIR Notes @DfirNotes

28 Mar 2022

Replying to @hal_pomeranz

Preach! 4688's are very towel like, useful in their own right and provide hope that more help might be forthcoming from friednly people nearby. h/t Douglas Adams

Robert Knapp · Mar 28, 2022 · 2:32 AM UTC

Robert Knapp @power_napz

28 Mar 2022

Replying to @hal_pomeranz

With the registry modification to give the full command line 🥲

Syber Daily · Mar 28, 2022 · 5:26 PM UTC

Syber Daily @sEye_Cyber

28 Mar 2022

Replying to @hal_pomeranz

"but we did not enable commandline logging because they may contain passwords" 😆