Detecting Lateral Movement with New Events in the Windows Server 2016 Security Log

Webinar Registration

Preventing attackers from gaining control of network endpoints is difficult and given today's threat landscape, possibly inevitable. Your preventative controls might stop such an event, but defense-in-depth best practices recommends a multi-layered security approach to protect yourself.

The good news is, there are new and improved events in the Windows Server 2016 and Windows 10 Security Log to help you detect attempts during a threat actor's kill chain.

Some of the new events we'll examine include:

  • 4798—A user's local group membership was enumerated
  • 4799—A security-enabled local group membership was enumerated
  • 4627—Group membership information
  • 6416—A new external device was recognized by the system

We'll also look at additional information available in existing events include:

  • 4624's new Linked Logon ID, Elevated Token, Virtual Account, and Restricted Admin Mode fields
  • 4688's new information on Process start events. How to enable it and assessing the risks of enabling the new feature

Beyond new events and even fields, we'll also examine existing Windows and Windows Firewall events that can help you detect attempted lateral movement—regardless of your Windows Firewall Policy.

Seth Goldhammer, from our sponsor LogRhythm, will join the webinar to show you some cool advancements in analytics they have made to help you detect attackers in various stages of the cyber attack lifecycle. Seth will demo how to recognize progression, increasing risk scoring with each progression, and how LogRhythm can infer additional context about a user during analysis. For example, the true identity of the malicious user.

Please join us for this real training for free ™ event!

First Name:   
Last Name:   
Work Email:  
Phone:  
Organization:  
Country:    
State:  
Job Title:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources