I am always looking for sources of information to improve logging and data to create queries and alerts for a security tools such as an EDR or SIEM/Log Management solution.
I came across this post from Florian Roth who has created an “Antivirus Event Analysis Cheat Sheet“ that lists Attributes and Relevancy of the types of AV items. You can find the PDF here:
These types of things are a good place to see if your Security Tooling can detect and/or an Alert/Query can be created to see if ‘bad fu’ is happening in your environment.
You can use this data to create lookup lists or execution locations for a SIEM, or add folders to be monitored with auditing rules that the “Windows File/Folder Auditing Cheat Sheet” contains to watch for creations and/or deletes of new files in folders you want to monitor.
Happy Hunting!