A port scan that is initiated from a monitored host can be detect by monitoring Windows Filtering Platform event id 5156https://system32.eventsentry.com/security/event/5156 and applying a threshold filter. Sysmon cannot be used to detect port scans since it only logs successfully established connections. 1. Enable auditing to ensure that ...

KB-ID 508
Category: Configuration
Applies to: 5.1.1.82 and later

Requires: EventSentry NetFlow license pfSense 2.4 or later psexec kittyportable Starting with EventSentry v4.0.3 EventSentry can log events when a potentially malicious IP address has been detected via NetFlow. This event can subsequently be used to trigger a process that remotely logs into the pfSense firewall to block the IP addr...

KB-ID 402
Category: Network Services
Applies to: 4.0.3

The easiest way to get notified in realtime whenever a user is created in Active Directory is by forwarding MicrosoftWindowsSecurityAuditing event 4720https://system32.eventsentry.com/security/event/4720. This event is logged to the Security event log whenever an Active Directory user is created. More informa...

KB-ID 403
Category: Security

Recent CVE advisory CVE20200796https://cve.mitre.org/cgibin/cvename.cginame=CVE20200796 explains a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 SMBv3 protocol handles certain requests that affect Windows 10 and Windows Server. Microsoft has released a patch for this vulnera...

KB-ID 415
Category: Security

Utilman.exe is the utility program that is launched when the Ease of Access button on the login screen is clicked. At the time of writing it is still vulnerable to be replaced by cmd.exe allowing an attacker to simply reset any user password since the tool is executed with admin rights Infohttps://4sysops.com/archives/resetawindows1...

KB-ID 433
Category: Security
Applies to: 3.5 and later

This guide illustrates how to completely disable WinRM and how to deploy it over the network using the free tool EventSentry Admin Assistanthttps://www.eventsentry.com/adminassistant. 1. Disabling WinRM 2. Network deployment using EventSentry Admin Assistant Disabling WinRM The Windows Remote Management WinRM service is Micro...

KB-ID 436
Category: Security
Applies to: Admin Assistant

EventSentry can detect both successful and unsuccessful ZeroLogon attacks by examing various event patterns on domain computers. To use this package: Download the package using the link shown below Open the EventSentry management console Click on Packages Click on Import Select the ZeroLogon package resource 15

KB-ID 440
Category: Security
Applies to: 4.2.3

Starting with EventSentry v4.2.3 web attacks can be detected with a set of regular expression rules that can be applied to any monitored log file including IIS log files. New EventSentry installations not pre 4.2.x upgrades automatically have these rules activated in all IIS Windows log file packages except for 2008 users who upgra...

KB-ID 443
Category: Security
Applies to: 4.2.3

The EventSentry dashboard includes the generic Search tile which can be used to display data from any page in the web reports e.g. event log data. The Search tile also offers the ability to extract select data strings from events and display them in custom columns. This method can be applied to any type of event logged to the event log. ...

KB-ID 464
Category: Web Reports
Applies to: 4.2 and later