event logs Archives

Winsage

December 10, 2025

Beyond RC4 for Windows authentication

Two new PowerShell scripts from the Microsoft Kerberos-Crypto GitHub repository have been introduced to enhance cybersecurity by streamlining the monitoring of Security Event logs on domain controllers. 1. List-AccountKeys.ps1: This script queries the Security Event Log for the Keys field, enumerating the keys associated with accounts in the event logs. It provides details such as the timestamp, account name, account type, and specific account keys. For example, it can show that accounts have access to keys like RC4, AES128-SHA96, AES256-SHA96, and AES128-SHA256. 2. Get-KerbEncryptionUsage.ps1: This script allows users to query events to determine which encryption types Kerberos utilized, revealing requests that employed AES256-SHA96. It also offers filtering options for specific encryption algorithms, such as RC4. Organizations can further enhance their security by using SIEM solutions like Microsoft Sentinel or built-in Windows event forwarding to query these logs.

Winsage

November 19, 2025

Sysmon – Go-to Tool for IT Admins, Security Pros, and Threat Hunters Coming to Windows

Microsoft will integrate native System Monitor (Sysmon) functionality into Windows 11 and Windows Server 2025, enhancing security operations for IT teams. This integration will provide instant threat visibility, automate compliance through Windows Update, and include features such as process monitoring, network connection tracking, credential access detection, file system monitoring, process tampering detection, WMI persistence tracking, and custom configuration support. It will also offer official customer service support and allow seamless access to events through Windows Event Logs or Security Information and Event Management (SIEM) systems. Administrators can enable Sysmon using the command "sysmon -i." Future plans include expanding Sysmon’s capabilities with enterprise-scale management and AI-powered detection.

Winsage

November 19, 2025

Microsoft Integrates System Monitor (Sysmon) into Windows 11

Microsoft will integrate its forensic tool, System Monitor (Sysmon), into the Windows kernel with the upcoming releases of Windows 11 and Server 2025. This integration will transform Sysmon from a standalone utility into a native “Optional Feature” that will be serviced automatically through Windows Update. Administrators will no longer need to manually distribute Sysmon; instead, it can be activated through the “Turn Windows features on or off” dialog or command-line instructions. The integration will ensure that updates flow through the standard Windows Update pipeline, providing official support and Service Level Agreements (SLAs) for Sysmon. Microsoft plans to utilize local computing capabilities for AI inferencing to enhance security measures, focusing on detecting credential theft and lateral movement patterns. Sysmon will maintain backward compatibility with existing workflows, allowing the use of custom configuration files and adhering to the XML schema while continuing to log events to the Windows event log. Community-driven configuration repositories will remain operational, preserving established community knowledge.

Winsage

November 18, 2025

Microsoft is bringing native Sysmon support to Windows 11, Server 2025

Microsoft is integrating Sysmon into Windows 11 and Windows Server 2025, eliminating the need for separate deployments of Sysinternals tools. This integration will allow users to utilize custom configuration files for filtering captured events, which will be logged in the Windows event log. Sysmon is a free tool that monitors and blocks suspicious activities while logging events such as process creation, DNS queries, and executable file creation. It will be easily installable via the "Optional features" settings in Windows 11, with updates delivered through Windows Update. Sysmon will retain its standard features, including support for custom configuration files and advanced event filtering. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Winsage

November 18, 2025

Microsoft to integrate Sysmon directly into Windows 11, Server 2025

Microsoft will integrate Sysmon into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. Sysmon will allow users to utilize custom configuration files for event filtering, logging events in the Windows event log. It tracks events such as process creation, DNS queries, executable file creation, changes to the clipboard, and auto-backup of deleted files. Users can access Sysmon through "Optional features" in Windows 11 and receive updates via Windows Update. Key events logged by Sysmon include process creation, network connections, process access, file creation, process tampering, and WMI events. Comprehensive documentation and new enterprise management features will be released next year.

Tech Optimizer

November 18, 2025

SilentButDeadly: New Tool Blocks Network Traffic to Bypass EDR and Antivirus

A newly released open-source tool called SilentButDeadly, developed by Ryan Framiñán and launched on November 2, 2025, can disable Endpoint Detection and Response (EDR) systems and antivirus software without terminating processes. It exploits the Windows Filtering Platform to sever cloud connectivity for security products, leaving systems vulnerable to attacks. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges, then scanning for active EDR processes like SentinelOne and Windows Defender. It establishes network filters that block communications for these security applications, preventing them from receiving updates or transmitting telemetry data. The tool also attempts to disable EDR services by changing their startup types. SilentButDeadly features dynamic, self-cleaning filters and builds on techniques from EDRSilencer, introducing enhanced operational safety. Organizations using cloud-based threat detection face risks when their security solutions lose connectivity. Security teams are advised to monitor Windows event logs for specific filter creation events and implement real-time monitoring and redundant communication channels for EDR telemetry.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Tech Optimizer

November 17, 2025

SilentButDeadly – A Network Communication Blocker That Neutralizes EDR and AV Tools

A new endpoint detection and response (EDR) evasion technique called SilentButDeadly has been identified, which exploits vulnerabilities in security software by using a network communication blocker that leverages the Windows Filtering Platform (WFP). This technique disrupts EDR and antivirus solutions' cloud connectivity without terminating processes or manipulating the kernel. SilentButDeadly operates through a seven-phase execution sequence, starting with verifying administrator privileges and discovering EDR solutions like SentinelOne and Windows Defender. It establishes dynamic WFP sessions with high-priority filtering rules to block outbound telemetry and inbound command-and-control communications, preventing EDR solutions from receiving updates and executing remote management commands. Additionally, it attempts to disable EDR services, hindering automatic restarts and background monitoring. This technique highlights a significant architectural vulnerability in EDR systems that rely on network connectivity. To mitigate this threat, security teams can monitor Windows event logs for specific Event IDs related to WFP filter creation and implement real-time monitoring and redundant communication channels. SilentButDeadly requires administrator privileges and is ineffective against EDR solutions protected by kernel-level network drivers.

Winsage

October 30, 2025

Windows event logs are still the most powerful diagnostic tool on your PC

Event Viewer is a built-in diagnostic tool in Windows that logs every event occurring on a PC, helping users troubleshoot performance issues. It categorizes logs into Application, System, Security, and Setup sections, allowing users to focus on relevant categories during troubleshooting. Events are classified as Critical, Error, Warning, and Information, with Critical events indicating potential sources of system crashes. Users can filter logs, research Event IDs, and utilize the Details section for deeper insights. Event Viewer can be paired with Reliability Monitor for a visual overview of system stability. Many third-party diagnostic tools also rely on data from Event Viewer, making it a valuable resource for addressing persistent errors.

Tech Optimizer

October 17, 2025

Russian tech firm attacked by Chinese state hackers in allied attack

The Chinese APT group Jewelbug infiltrated a Russian IT provider undetected for five months. They have increased their activity, targeting Russian entities as well as interests in South America, South Asia, and Taiwan. Jewelbug used a disguised version of the Microsoft Console Debugger (CDB) to bypass security measures and exfiltrate data. They cleared Windows Event Logs to avoid detection and used Yandex Cloud for data exfiltration. Symantec's report indicates that Russian organizations are vulnerable to attacks from Chinese state-sponsored groups.