MegaplanIT

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data and secure in-scope networks, systems, and website applications.

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Why Choose Us?

Our expert security consultants and QSAs are fully certified across multiple disciplines and have decades of experience helping businesses stay protected against an ever-evolving cyber threat landscape. We build long-term relationships with our clients and provide holistic service offering to meet all their security and compliance needs while outlining a path to continued improvements within their internal security program(s).

Why Choose Us?

Our expert security consultants and QSAs are fully certified across multiple disciplines and have decades of experience helping businesses stay protected against an ever-evolving cyber threat landscape. We build long-term relationships with our clients and provide holistic service offering to meet all their security and compliance needs while outlining a path to continued improvements within their internal security program(s).

MegaplanIT Blog

Advanced Windows Auditing with Sysmon

Auditing Windows system events is critical to any organization’s governance, risk and compliance objectives. In order to conduct efficient forensic investigations and ensure accountability, the proper security policies and controls have to be in place.

Blog: Windows Auditing

If you don’t log it then it never happened.

The Need for Windows Auditing

Auditing Windows system events is critical to any organization’s governance, risk and compliance objectives. In order to conduct efficient forensic investigations and ensure accountability, the proper security policies and controls have to be in place.

Compliance: Internal and external auditing requirements typically expect some level of minimum log collection.

Security: Security incident detection’s are enabled by the deeper context provided by audit logs.

Forensics: Forensic investigations rely heavily on detailed and accurate audit logging.

Operations: Troubleshooting and identifying misconfigurations is sometimes only possible with advanced auditing.

Windows Audit Policies

Local Audit Policy

  • Audit logon events
  • Audit object access
  • Audit policy change
  • Audit privilege use
  • Audit process tracking
  • Audit system events

Advanced Audit Policy

  • Account Logon
  • Account Management
  • Detailed Tracking
  • Domain Service Access
  • Logon/Logoff
  • Object Access
  • Policy Change
  • Privilege Use
  • System

Group Policy

  • Event Log Size/Retention
  • Password Policy
  • Account Lockout Policy
  • Powershell Audit Settings

Microsoft Security Compliance Toolkit

The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.

Policy Reporting: Export results as a CSV or Excel Spreadsheet

Policy Auditing:Highlight the differences between local policies and security baselines

Windows Event Viewer

Event logs are records of significant events on behalf of the system and applications running on the system. Because the logging functions are general purpose, you must decide what information is appropriate to log.

Important Sysmon Capabilities

Process Monitoring: Detect and log process creation and termination as well as inter-process communication.

File Creation Monitoring: Keep a record of modifications to critical files identified within your Sysmon configuration.

Network Connection Monitoring: Log all network connections with the option of specifying whitelisted destinations within your configuration.

Registry Monitoring: Watch for registry modifications from suspicious or unusual services.

DLL Monitoring: Monitor for DLL loading from suspicious or unusual processes.

DNS Monitoring: Record all DNS requests, but exercise caution. This capability is extremely noisy and generates a high volume of logs.

The Need for Sysmon. Everything you didn’t know, all in one place.

Windows audit logging is great for compliance purposes; not for making security detections. SysMon is a Windows system service and device driver that provides detailed information about process creation, network connections and changes to file creation time. It subsequently analyzes these events to identify malicious or anomalous activity. This allows you to understand how intruders and malware operate on your network.

Execution

  • Module Loading
  • Powershell Execution
  • Scripting
  • Service Execution
  • User Execution
  • Windows Remote Management

Persistence

  • Application Shimming
  • BITS Jobs
  • DLL Search Order Hijacking
  • Local Job Scheduling
  • Logon Scripts
  • Scheduled Tasks

Exfiltration

  • Data Compression
  • Data Encryption
  • Exfiltration Over Alt Protocol
  • Exfiltration Over CNC
  • Remote Access Tools
  • Remote File Copy
  • Scheduled Transfer

See What We're About

At MegaplanIT, our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cybersecurity threats. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.

Every business has security and compliance challenges. Maybe you’ve had to repeatedly ask a compliance assessor to complete reports you could share with internal management, or your security consultant was replaced with a new consultant halfway through an assessment. Maybe you’ve been sent a different security consultant every year, or your supplier surprises you with unplanned and unbudgeted additional expenses to complete the project. Whatever the situation, the result is the same, the costs and level of effort required to stay secure and compliant never go down.

With MegaplanIT, our service offerings are clearly written and explained in detail to our clients. There are no hidden costs or surprises and you’ll never have to worry about a lack of communication with our consultants or assessors. That’s our Guarantee.

As cyber threats grow in number and sophistication, many organizations are turning to managed security service providers to help secure their digital assets and data. Based at our 24/7/365 cutting-edge security operations center in Scottsdale, Arizona, we provide a suite of managed services to ensure your business stays safe from cyber attacks.

At MegaplanIT, our expert QSAs are fully certified and have decades of experience helping businesses like yours stay compliant with industry frameworks all year round. We build long-term relationships with our customers and provide holistic services to meet all your security and compliance needs.

The vast majority of security breaches are made possible by vulnerabilities and configuration errors in an organization’s network or applications. Our fully certified security testing services are designed to help you find and fix weaknesses in your networks and applications, and prepare you digital infrastructure to withstand the latest cyber threats.

Important Windows Event IDs

Successful Logon – 4624:  This event generates when a logon session is created. It generates on the computer that was accessed, where the session was created.

Logon Failure – 4625: This event generates if an account logon attempt failed when the account was already locked out

User Account Lockout – 4740:The indicated user account was locked out after repeated login failures due to a bad password. 

User Added to Privileged Group – 4728, 4732, 4756: Used for monitoring which users have been added to security-enabled groups.

User Added to a Group – 4761, 4746, 4751: Used for monitoring which users have been added to security disabled groups.

Security Log Cleared – 1102:This event generates every time a Windows Security audit log was cleared.