Your best bet here might be to search for Windows-based digital forensics articles. SANS puts out a classic poster with some key system processes to keep tabs on: https://digital-forensics.sans.org/blog/2014/03/26/finding-evil-on-windows-systems-sans-dfir-poster-release
Pretty much anything that loads up by default from beneath C:\windows is worthy of watching. You might even just open Task Manager, add the column named “Image path name” and look at each process that’s running out of C:\Windows\*. From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of iisinfrastruct...@gmail.com Sent: Tuesday, May 10, 2016 5:18 PM To: ossec-list <ossec-list@googlegroups.com> Subject: [ossec-list] Windows 2012 - FIM - list of files who needs to be supervise Hi, I have been searching the Web quite a lot and, maybe I am not looking at the right place, but I can't find any answer. I have to make a list of all the main files who needs to be supervise by a FIM solution on Windows 2012 (basic one like hosts and main DLL for exemple). It's not that hard on linux and I have been able to find what I was looking for. Is there any kind of referential for Windows? I can't even find one on Microsoft Technet. All I got is "what your suppose to do". It seems like every FIM product on the market keep those informations like a secret. All I have found so far is this link : https://secludit.com/blog/windows-linux-vulnerable-files/ but it's already quite old. Any place I can look? I'll happily provide some kind of database when I am done recensing what needs to. Thanks, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com <mailto:ossec-list+unsubscr...@googlegroups.com> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
