Home
/
/
Windows Auditing

Windows Auditing

  • January 31, 2025

Share

Advanced Windows Auditing with Sysmon

Auditing Windows system events is critical to any organization’s governance, risk and compliance objectives. In order to conduct efficient forensic investigations and ensure accountability, the proper security policies and controls have to be in place.

The Need for Windows Auditing

Auditing Windows system events is critical to any organization’s governance, risk and compliance objectives. In order to conduct efficient forensic investigations and ensure accountability, the proper security policies and controls have to be in place.

Compliance: Internal and external auditing requirements typically expect some level of minimum log collection.

Security: Security incident detection’s are enabled by the deeper context provided by audit logs.

Forensics: Forensic investigations rely heavily on detailed and accurate audit logging.

Operations: Troubleshooting and identifying misconfigurations is sometimes only possible with advanced auditing.

Windows Audit Policies

Local Audit Policy

Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events

Advanced Audit Policy

Account Logon
Account Management
Detailed Tracking
Domain Service Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System

Group Policy

Event Log Size/Retention
Password Policy
Account Lockout Policy
Powershell Audit Settings

Microsoft Security Compliance Toolkit

The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.

Policy Reporting: Export results as a CSV or Excel Spreadsheet

Policy Auditing:Highlight the differences between local policies and security baselines

Windows Event Viewer

Event logs are records of significant events on behalf of the system and applications running on the system. Because the logging functions are general purpose, you must decide what information is appropriate to log.

Important Sysmon Capabilities

Process Monitoring: Detect and log process creation and termination as well as inter-process communication.

File Creation Monitoring: Keep a record of modifications to critical files identified within your Sysmon configuration.

Network Connection Monitoring: Log all network connections with the option of specifying whitelisted destinations within your configuration.

Registry Monitoring: Watch for registry modifications from suspicious or unusual services.

DLL Monitoring: Monitor for DLL loading from suspicious or unusual processes.

DNS Monitoring: Record all DNS requests, but exercise caution. This capability is extremely noisy and generates a high volume of logs.

The Need for Sysmon. Everything you didn’t know, all in one place.

Windows audit logging is great for compliance purposes; not for making security detections. SysMon is a Windows system service and device driver that provides detailed information about process creation, network connections and changes to file creation time. It subsequently analyzes these events to identify malicious or anomalous activity. This allows you to understand how intruders and malware operate on your network.

Execution

Module Loading
Powershell Execution
Scripting
Service Execution
User Execution
Windows Remote Management

Persistence

Application Shimming
BITS Jobs
DLL Search Order Hijacking
Local Job Scheduling
Logon Scripts
Scheduled Tasks

Exfiltration

Data Compression
Data Encryption
Exfiltration Over Alt Protocol
Exfiltration Over CNC
Remote Access Tools
Remote File Copy
Scheduled Transfer

See What We’re About

At MegaplanIT, our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cybersecurity threats. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.

Every business has security and compliance challenges. Maybe you’ve had to repeatedly ask a compliance assessor to complete reports you could share with internal management, or your security consultant was replaced with a new consultant halfway through an assessment. Maybe you’ve been sent a different security consultant every year, or your supplier surprises you with unplanned and unbudgeted additional expenses to complete the project. Whatever the situation, the result is the same, the costs and level of effort required to stay secure and compliant never go down.

With MegaplanIT, our service offerings are clearly written and explained in detail to our clients. There are no hidden costs or surprises and you’ll never have to worry about a lack of communication with our consultants or assessors. That’s our Guarantee.

Subscribe to Our Newsletter

Related Topics

Assessor Spotlight

(2)

Cloud Security

(1)

Compliance and Regulations

(3)

Employee Spotlight

(1)

Managed Security

(1)

Network Security

(1)

PCI Compliance

(3)

Penetration Testing

(1)

Security & Compliance

(58)

Security Operations

(1)

ON WATCH, ALL THE TIME

Featured Articles

Compliance and Regulations

P2PE vs E2EE: Common Pitfalls and Deployments

Point-to-Point Encryption (P2PE) in the payment card industry involves deploying a recognized solution by the PCI council, where hardware, processes, and technology undergo rigorous testing against the current P2PE Standard v3.1 or earlier versions. The P2PE standard combines a recognized and certified PTS device with software and encryption methods to allow cardholder data to be encrypted upon swipe and transmitted encrypted throughout the merchant environment until decrypted within a decryption environment, inaccessible to the merchant.
Learn More
Compliance and Regulations

2025 PCI Compliance Checklist

In today’s rapidly evolving cybersecurity landscape, achieving and maintaining PCI compliance is more critical than ever. With the latest update to PCI DSS 4.0.1, businesses must adapt to meet new standards designed to enhance security and flexibility. This updated PCI Compliance Checklist outlines the essential steps for staying compliant while optimizing your organization’s security posture.
Learn More
Cloud Security

PCI Data Security Standard Myths

As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it. The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist. Below we will cover some common PCI DSS myths vs. the reality.
Learn More
Compliance and Regulations

Understanding Scope for PCI DSS

Learn More
Employee Spotlight

Get Prepared For PCI DSS v4.0

The PCI DSS standard is largely responsible for dictating the way organizations all over the world approach cybersecurity and the protection of credit card data. As v4.0 of the standard approaches, organizations should aim to identify and plan updates for the aspects of their security and compliance programs that are most likely to be affected.
Learn More
Managed Security

How your Remote Workforce impacts PCI DSS Compliance

Employees of companies of all sizes are now either required to shelter in place or State and Government lock-downs are forcing companies to require their employees to work remotely. How will this impact your PCI-DSS Compliance?
Learn More

MegaplanIT

Services

Resources

Contact

18700 N Hayden Rd #340, Scottsdale, AZ 85255

800-891-1634

[email protected]

Open 24/7/365 days

If you have a security or compliance emergency, contact us immediately.

MEGAPLANIT HOLDINGS, LLC. © 2025 | ALL RIGHTS RESERVED.

PRIVACY POLICY