What Windows boxes are running end-of-life operating systems
Partner portal: https://dsap.netwatcher.com/UjocP
Customer portal: https://portal.netwatcher.com/l8BL4
What assets have CCleaner installed?
Partner portal: https://dsap.netwatcher.com/RtM7c
Customer portal: https://portal.netwatcher.com/aAdpO
Windows Authentication Events
Partner portal: https://dsap.netwatcher.com/nwONX
Customer portal: https://portal.netwatcher.com/2BeY8
User account or groups changing (HIDS view)
Windows: Administrators Group Changed
Partner portal: https://dsap.netwatcher.com/NTw15
Customer portal: https://portal.netwatcher.com/54iJC
Windows: Security Enabled Global Group Changed
Partner portal: https://dsap.netwatcher.com/xyJ7W
Customer portal: https://portal.netwatcher.com/b7RjT
Windows: Security Enabled Global Group Member Added
Partner portal: https://dsap.netwatcher.com/4gD6n
Customer portal: https://portal.netwatcher.com/KRxiF
Windows: Security Enabled Global Group Member Removed
Partner portal: https://dsap.netwatcher.com/WRm4e
Customer portal: https://portal.netwatcher.com/hTYT5
Windows: Security Enabled Local Group Changed
Partner portal: https://dsap.netwatcher.com/xyJ7W
Customer portal: https://portal.netwatcher.com/b7RjT
Windows: Security Enabled Local Group Member Added
Partner portal: https://dsap.netwatcher.com/fJ0sl
Customer portal: https://portal.netwatcher.com/Ql3SC
Windows: Security Enabled Local Group Member Removed
Partner portal: https://dsap.netwatcher.com/66R3M
Customer portal: https://portal.netwatcher.com/J0K9n
Windows: User account enabled or created.
Partner portal: https://dsap.netwatcher.com/QriYS
Customer portal: https://portal.netwatcher.com/pwAP2
Windows: User account disabled or deleted.
Partner portal: https://dsap.netwatcher.com/rkGMM
Customer portal: https://portal.netwatcher.com/mHDYh
Windows: User account changed.
Partner portal: https://dsap.netwatcher.com/AUdAC
Customer portal: https://portal.netwatcher.com/lBt4H
Windows: User account locked out (multiple login errors).
Partner portal: https://dsap.netwatcher.com/3ndzM
Customer portal: https://portal.netwatcher.com/JAnCr
Windows: User account unlocked.
Partner portal: https://dsap.netwatcher.com/2UTxZ
Customer portal: https://portal.netwatcher.com/SJM3z
User account or groups changing (HIDS view)
Windows: Administrators Group Changed
Partner portal: https://dsap.netwatcher.com/NTw15
Customer portal: https://portal.netwatcher.com/54iJC
Windows: Security Enabled Global Group Changed
Partner portal: https://dsap.netwatcher.com/xyJ7W
Customer portal: https://portal.netwatcher.com/b7RjT
Windows: Security Enabled Global Group Member Added
Partner portal: https://dsap.netwatcher.com/4gD6n
Customer portal: https://portal.netwatcher.com/KRxiF
Windows: Security Enabled Global Group Member Removed
Partner portal: https://dsap.netwatcher.com/WRm4e
Customer portal: https://portal.netwatcher.com/hTYT5
Windows: Security Enabled Local Group Changed
Partner portal: https://dsap.netwatcher.com/xyJ7W
Customer portal: https://portal.netwatcher.com/b7RjT
Windows: Security Enabled Local Group Member Added
Partner portal: https://dsap.netwatcher.com/fJ0sl
Customer portal: https://portal.netwatcher.com/Ql3SC
Windows: Security Enabled Local Group Member Removed
Partner portal: https://dsap.netwatcher.com/66R3M
Customer portal: https://portal.netwatcher.com/J0K9n
Windows: User account enabled or created.
Partner portal: https://dsap.netwatcher.com/QriYS
Customer portal: https://portal.netwatcher.com/pwAP2
Windows: User account disabled or deleted.
Partner portal: https://dsap.netwatcher.com/rkGMM
Customer portal: https://portal.netwatcher.com/mHDYh
Windows: User account changed.
Partner portal: https://dsap.netwatcher.com/AUdAC
Customer portal: https://portal.netwatcher.com/lBt4H
Windows: User account locked out (multiple login errors).
Partner portal: https://dsap.netwatcher.com/3ndzM
Customer portal: https://portal.netwatcher.com/JAnCr
Windows: User account unlocked.
Partner portal: https://dsap.netwatcher.com/2UTxZ
Customer portal: https://portal.netwatcher.com/SJM3z
File added to the asset
Partner Portal: https://dsap.netwatcher.com/Usxz8
Customer Portal: https://portal.netwatcher.com/1LlpK
Windows Application Installs
Partner Portal: https://dsap.netwatcher.com/KK4fM
Customer portal: https://portal.netwatcher.com/l5agP
Registry entry added to the system
Partner Portal: https://dsap.netwatcher.com/dIWfZ
Customer Portal: https://portal.netwatcher.com/XCB0X
This lets you know what assets had their registry updated.
Checking on any NIDS “current events”
Partner Portal: https://dsap.netwatcher.com/NTzpd
Customer Portal: https://portal.netwatcher.com/86mBn
Current Events – Category for active and short-lived campaigns. This category covers exploit kits and malware that will be aged and removed quickly due to the short-lived nature of the threat. High profile items that we don’t expect to be there long—fraud campaigns related to disasters for instance. These are rules that we don't intend to keep in the ruleset for long, or that need to be tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID's of newly found vulnerable apps where we don't have any detail on the exploit, etc.
Look for any malware/trojan/exploit NIDS traffic
Partner Portal: https://dsap.netwatcher.com/hT0zw
Customer portal https://portal.netwatcher.com/RZGPr
Look for Windows Audit Events
Partner portal: https://dsap.netwatcher.com/dx2qK
Customer portal: https://portal.netwatcher.com/0XjfA
Look for any executable that has been downloaded from outside the USA
Partner portal: https://dsap.netwatcher.com/D2LgW
Customer portal https://portal.netwatcher.com/IQD2q
Look for assets communicating with known bad IP addresses
Partner portal: https://dsap.netwatcher.com/Ql4bG
Customer portal: https://portal.netwatcher.com/rCRLU
Comments