Chapter 14 Other Audit Events

In Chapter 13, “Logon and Account Logon Events,” we examined the way in which Windows logs the activities associated with account authentication and access to system resources. This chapter will look at various audit events that might be of investigative interest to you. Windows records a wide assortment of activities throughout the network, and by pulling all of these events together, you will be able to paint a fairly complete picture. We’ll do this in an order that represents how a system compromise might actually take place. The sequence will reach an end when our attacker is able to access a repository of company secrets.

In this chapter, you will learn to

Detect changes to groups, accounts, and policies in ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by

Chapter 14

Other Audit Events

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly