Requires: EventSentry NetFlow license pfSense 2.4 or later psexec kittyportable Starting with EventSentry v4.0.3 EventSentry can log events when a potentially malicious IP address has been detected via NetFlow. This event can subsequently be used to trigger a process that remotely logs into the pfSense firewall to block the IP addr...
The easiest way to get notified in realtime whenever a user is created in Active Directory is by forwarding MicrosoftWindowsSecurityAuditing event 4720https://system32.eventsentry.com/security/event/4720. This event is logged to the Security event log whenever an Active Directory user is created. More informa...
Recent CVE advisory CVE20200796https://cve.mitre.org/cgibin/cvename.cginame=CVE20200796 explains a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 SMBv3 protocol handles certain requests that affect Windows 10 and Windows Server. Microsoft has released a patch for this vulnera...
Utilman.exe is the utility program that is launched when the Ease of Access button on the login screen is clicked. At the time of writing it is still vulnerable to be replaced by cmd.exe allowing an attacker to simply reset any user password since the tool is executed with admin rights Infohttps://4sysops.com/archives/resetawindows1...
This guide illustrates how to completely disable WinRM and how to deploy it over the network using the free tool EventSentry Admin Assistanthttps://www.eventsentry.com/adminassistant. 1. Disabling WinRM 2. Network deployment using EventSentry Admin Assistant Disabling WinRM The Windows Remote Management WinRM service is Micro...
EventSentry can detect both successful and unsuccessful ZeroLogon attacks by examing various event patterns on domain computers. To use this package: Download the package using the link shown below Open the EventSentry management console Click on Packages Click on Import Select the ZeroLogon package resource 15
Starting with EventSentry v4.2.3 web attacks can be detected with a set of regular expression rules that can be applied to any monitored log file including IIS log files. New EventSentry installations not pre 4.2.x upgrades automatically have these rules activated in all IIS Windows log file packages except for 2008 users who upgra...
The EventSentry dashboard includes the generic Search tile which can be used to display data from any page in the web reports e.g. event log data. The Search tile also offers the ability to extract select data strings from events and display them in custom columns. This method can be applied to any type of event logged to the event log. ...
The Security Foundation dashboard identifies audit insufficiently configured Windows audit settings from all monitored hosts. Properly configured audit settings are the prerequisites of more advanced security initiatives and it is recommended that all tiles in the dashboard show OK. Numbers shown in the tiles reflect the number of audit pol...
The Attack Surface dashboard utilized various validation scripts to ensure the monitored hosts meet basic security and best practices guidelines. To make it easier to prioritize resolving issues identified by the validation checks the scripts are grouped into Workstation Server ampamp Domain Controllers. Numbers shown in the tiles reflect th...
The Critical Changes ampamp Activity dashboard utilized a variety of EventSentry features to identify ampamp review changes made to the network infrastructure and Active Directory. The ADMonitorbased tiles indicated with ADMonitor in title can be removed if ADMonitor is not activated. This dashboard offers the following benefits: Ident...
