In looking into compromised systems, often what is needed by incident responders and investigators is not enabled or configured when it comes to logging. To help get system logs properly Enabled and Configured, below are some cheat sheets to help you do logging well and collect the needed data we all need is there when we look.
Cheat Sheets to help you in configuring your systems:
The Windows Logging Cheat Sheet Updated Feb 2019
The Windows Advanced Logging Cheat Sheet Updated Feb 2019
The Crowdstrike Logscale Windows Logging Cheat Sheet Updated Feb 2024
The Splunk Windows Logging Cheat Sheet Updated Sept 2019
The Windows File Auditing Logging Cheat Sheet Updated Nov 2017
The Windows Registry Auditing Logging Cheat Sheet Updated Aug 2019
The Windows PowerShell Logging Cheat Sheet Updated Sept 2018
The Windows Sysmon Logging Cheat Sheet Updated Jan 2020
MITRE ATT&CK Cheat Sheets
The Windows ATT&CK Logging Cheat Sheet Released Sept 2018
The Windows LOG-MD ATT&CK Cheat Sheet Released Sept 2018
The MITRE ATT&CK Logging Cheat Sheets are available in Excel spreadsheet form on the following Github:
Some Additional Cheat Sheets
These are some additional cheat sheets that can help in your IR and security needs.
Some Living Off the Land (LOL) Lists
Update Log:
Crowdstrike Logscale Windows Logging Cheat Sheet Released
Feb 2024
Humio Cheat Sheet Retired
Feb 2024
SysmonLCS: Jan 2020 ver 1.1
Fixed GB to Kb on log size
WSplunkLCS: Sept 2019 ver 2.22
Minor code tweaks, conversion
WSysmonLCS: Aug 2019 ver 1.0
Initial release
WRACS: Aug 2019 ver 2.5
Added a few more items
WSLCS: Feb 2019 ver 2.21
Fixed shifted box, cleanup only
WLCS: Feb 2018 ver 2.3
Added a couple items from Advanced
Adjust a couple settings
General Clean up
Referenced the Windows Advanced Logging Cheat Sheet
WALCS: Feb 2019 ver 1.2
Updated and added several items
WHLCS: June 2018 ver 1.0
Initial release
WFACS: Oct 2016 ver 1.2
Added a few new locations
WRACS: oct 2016 ver 1.2
Added many autorun keys
Sorted the keys better
WSLCS: Mar 2018 ver 2.1.1
Fixed shifted box, cleanup only
WLCS: Jan 2016 ver 2.0
Added Event code 4720 - New user account created
Changed references to File and Registry auditing to point to the new File and Registry auditing Cheat Sheets
Expanded info on Command Line Logging
WRACS: Jan 2016 ver 1.1
Sort HKLM Keys
Added keys to monitor PowerShell and Command Line log settings
Updated HKCU and USERs\.DEFAULT info
Added info about HKCU unable to be set in Security Templates
Added PowerShell script to set HKCU Registry Auditing