Update README.md

2017-08-30 15:10:36 -04:00
parent 49836207d1
commit 28e9686a23
1 changed files with 28 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -55,3 +55,31 @@ or:

 `.\DeepBlue.ps1 -file .\evtx\new-user-security.evtx`

+## Logging setup
+
+### Security event 4688 (Command line auditing):
+
+Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 
+
+### PowerShell auditing (PowerShell 5.0):
+
+DeepBlueCLI uses module logging (PowerShell event 4013) and script block logging (4104). It does not use transcription.
+
+See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
+
+To get the PowerShell commandline (and not just script block), add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
+```
+$LogCommandHealthEvent = $true
+$LogCommandLifecycleEvent = $true
+```
+See the following for more information:
+ - https://logrhythm.com/blog/powershell-command-line-logging/
+ - http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html
+
+Thank you: @heinzarelli and @HackerHurricane
+
+### Sysmon
+
+Install Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
+
+Log SHA1 hashes. Others are fine; DeepBlueCLI will use SHA1.