If everyone monitored security event
ID 4688 (New process) on each computer, we would know within seconds whenever a
EXE showed up on the network. If we knew that, we would be able to stop
so many more intrusions – so much sooner in the process – before damage is
done. This one security measure would catch so many ransomware, APT
and information theft attacks.
Sound like a lot of work? It was,
In 5 minutes Supercharger can
configure Windows Event Collection so that your endpoints start sending this to
a central Windows event collector. Which you then monitor with the SIEM
of your choice. No agents, no polling, no remote access credentials to
setup, no firewall rules to configure. It just works.
Worried that collecting every process
start event from every Windows system would be overwhelming? Turn on
Supercharger’s built-in Common System Process noise filter and suddenly all
those endpoints reduce traffic to a fraction. That’s because the lion’s
share of process start events (4688) are just noise in terms of attack
detection. We know for instance that Windows runs
C:\Windows\System32\svchost.exe all the time. As long as the Logon ID is
0x3e7 there’s really no point in analyzing the event.
Supercharger was designed by Randy
Franklin Smith – no one knows the Windows Security Log better – and you get to
leverage his knowledge built-in to Supercharger. Check out this video where
Randy demonstrates the steps in less than 7 minutes.
You might need to right-click and select Play or Show Controls on the video below.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!