MITRE Windows Integration App for IBM Security QRadar SIEM

Size: px
Start display at page:

Download "MITRE Windows Integration App for IBM Security QRadar SIEM"

Transcription

1 QLean for IBM Security QRadar SIEM: MITRE Windows Integration App for IBM Security QRadar SIEM ADMIN GUIDE 2021 ScienceSoft Page 1 from 43

2 Table of Contents Overview...3 Supported Versions...3 Extension Installation...3 Downloading Extension... 3 Installing Extension... 4 App Description...4 Rules overview... 4 Rules structure... 5 Application side... 6 Prerequisites...7 Configuring WinCollect Agent... 8 Configuring Sysmon... 9 Usage...10 Add legitimate Windows Users and Machine (host) Map rules to MITRE Techniques via Use Case Manager (Optional) Manually Automatically Troubleshooting...12 Appendix A: Release notes...13 Appendix B: Custom Properties...14 Appendix C: Custom Rules ScienceSoft Page 2 from 43

3 Overview MITRE Windows Integration App tactics by ScienceSoft are based on the logs provided by a Microsoft Sysmon tool that is configured in a certain way. System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. While massively tested and tuned, some rules are disabled by default to prevent potential false-positives on the production SIEM environment, so make sure to enable them after the Sysmon configuration is done. IMPORTANT: This complimentary application is a part of the full set of the MITRE Windows Integration App created by ScienceSoft. You can request this package as a commercial product along with the professional services support for Sysmon configuration and troubleshooting at Supported Versions Supported QRadar versions are: GA and higher NOTE: this solution is developed by ScienceSoft and is not supported by IBM. You can request your own custom QRadar application to be developed via the following address: Extension Installation The current application is distributed as a QRadar extension. In order to install it, please follow the steps below: Downloading Extension Go to Log in using your IBMid Filter by Type: Custom Rule 2021 ScienceSoft Page 3 from 43

4 Select MITRE Windows Integration App extension Click Download button at the top right corner Save the extension zip file Installing Extension Log in to the QRadar UI Go to Admin tab Open Extensions Management Click Add button Select Install immediately checkbox, click Browse button, locate the extension file downloaded from IBM App Exchange, and click Add button Confirm all the steps and wait for installation to finish. This may take a while. Close Extensions Management window, press Ctrl+F5 to fully reload QRadar UI. Deploy changes if requested by QRadar App Description Rules overview To get the list of MITRE ATT&CK rules please follow the steps below. Go to Offense tab Click Rules link Click Group drop-down and select a MITRE group ScienceSoft Page 4 from 43

5 Rules structure Click any MITRE ATT&CK group rule for more details. IMPORTANT: In order to make MITRE ATT&CK rules to trigger, you must configure Sysmon for every rule you are interested in. The Notes section of every rule contains a detailed configuration to be performed. Please scroll down the Notes section to review the whole configuration guide for the rule. Press Next (3) button to check Rule Response part ScienceSoft Page 5 from 43

6 The following wizard page shows the CRE event that will be generated when the rule triggers. Event Name field contains the unique id and name of MITRE ATT&CK tactics. Event Description field contains a short description. Application side The application has the following tabs: Authentication token with this tab you automatically map the MITRE ATT&CK rules with Use Case Manager. Check Usage paragraph of this guide. Hints contains description and short instruction how to configure a Sysmon service ScienceSoft Page 6 from 43

7 Sysmon Rules a text form where you can copy or download all Sysmon queries related to this rules set. Prerequisites The following software versions are required for proper configuration of audit settings and forwarding to IBM QRadar: WinCollect Agent or higher Sysmon or higher To verify if Sysmon is present and running on your Windows host, verify these steps: With powershell (as admin): get-service sysmon* With GUI: Open run menu, type Win + R Type in opened window: services.msc Find Sysmon or Sysmon64, verify if it installed and running 2021 ScienceSoft Page 7 from 43

8 In the same way for WinCollect: With powershell (as admin): get-service wincollect With GUI: Open run menu, type Win + R Type in opened window: services.msc Find WinCollect, verify if it installed and running Configuring WinCollect Agent WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows logs to QRadar. WinCollect can collect events from systems locally or be configured to remotely poll other Windows systems for events. For WinCollect installation, please refer to the IBM documentation ScienceSoft Page 8 from 43

9 We recommend use following XPath queries for WinCollect configuration: <QueryList> <Query Id="0" Path="Events Of Interest"> <Select Path="Security">*</Select> <Suppress Path="Security">(*[System[(EventID=5154 or EventID=5156 or EventID=5157 or EventID=5158)]]) or = 'ANONYMOUS LOGON'] or = 'ANONYMOUS LOGON'])])</Suppress> <Select Path="System">(*[System[(EventID=104 or EventID=1056 or EventID=7000 or EventID=7011 or EventID=7013 or EventID=7030 or EventID=7031 or EventID=7035 or EventID=7036 or EventID=7040 or EventID=7045)]])</Select> <Select and (EventID=1022 or EventID=1033 or EventID=1034)]) or System[(Level=2) and (EventID=1000)])])</Select> <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> <Select Path="Microsoft-Windows-PowerShell/Operational">(*[System[(EventID = 4103 or EventID = 4104)]])</Select> <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">(*[(System[(EventID=8002) and UserData/RuleAndFileData/PolicyName!="DLL"]) or System[(EventID=8003 or EventID=8004)]])</Select> <Select Path="Microsoft-Windows-AppLocker/MSI and Script">(*[System[(EventID=8005 or EventID=8006 or EventID=8007)]])</Select> <Select Path="Microsoft-Windows-Sysmon/Operational">(*[System[(EventID=1 or EventID=3 or EventID=7 or EventID=8 or EventID=9 or EventID=10 or EventID=11 or EventID=12 or EventID=13 or EventID=14 or EventID=17 or EventID=18 or EventID=19 or EventID=20 or EventID=21)]])</Select> <Select Path="Microsoft-Windows-Security- and ((EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]])</Select> <Select Path="Microsoft-Windows-Security- and ((EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]])</Select> </Query> </QueryList> Configuring Sysmon Sysmon is a free solution initially developed by Mark Russinovich and Thomas Garnier from former Winternals Software company and currently maintained by Microsoft. The tool is designed to extend the current logging capabilities in Windows to aid in understanding and detecting attackers by behavior. It was developed originally for internal use at Microsoft. All of the events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog in order to accommodate security products that already leverage the EventLog, and to make the events easier to view and collect. Download an installation file from Microsoft. The tool supports 64-bit and 32-bit systems and uses a single command line tool for installation and configuration management. Extract it to any folder and run a command: Where sysmon.xml is pre-created configuration file: Sample of configuration: sysmon64.exe I sysmon.xml <Sysmon schemaversion="4.22"> <EventFiltering> <RuleGroup name="" grouprelation="or"> <FileCreate onmatch="include"> <Rule grouprelation="or"> <TargetFilename name="t1170" condition="end with">.hta</targetfilename> </Rule> </RuleGroup> </EventFiltering> </Sysmon> 2021 ScienceSoft Page 9 from 43

10 NOTE: Find full configuration file in Application UI Form To update the current configuration, run the following command: C:\Windows\Sysmon64.exe c sysmon.xml NOTE: You can easily install and configure both WinCollect Agent and Sysmon in an automated mode on multiple windows hosts using required XPath and Sysmon configuration with IBM-validated professional solution called QWAD QWAD WinCollect Assisted Deployment available on IBM App Exchange. Usage Add legitimate Windows Users and Machine (host) Most of the rules do have the following test defined in rule logic: and NOT when any of User are contained in Users Whitelist - (Ignore Case) and NOT when any of Machine Machines Whitelist - (Ignore Case) Add legitimate user names to the MITRE: Windows Users Whitelist and MITRE: Windows Machines Whitelist reference sets in order to avoid false-positive offenses. NOTE: Please refer to Appendix C for complete list of rules available in this package. Map rules to MITRE Techniques via Use Case Manager (Optional) Windows MITRE rules can be mapped to MITRE Techniques with UCM Use Case Manager that you can get from IBM App Exchange. There are two ways to do that: manually in Use Case Manager, or automatically via MITRE Windows Integration App application. - Manually To map techniques click ATT&CK Action button on the main page of Use Case Manager and select Import. Click an upload icon and select a map file with.json extension, then click Import ScienceSoft Page 10 from 43

11 You can download a mapping json file from Application. Open MITRE Windows App interface. Move to Hints tab, then click Download Mapping File button. - Automatically Login to QRadar UI Go to Admin tab Create new Authorized Service Open the MITRE Windows Integration App interface On the initial run you ll be presented with a configuration field to enter Authorization Token Enter Authorization Token generated on previous step (1) Press Save button to save configuration 2021 ScienceSoft Page 11 from 43

12 After that the app will once map all rules from it. Check the status bar to be sure that has happened. NOTE: Be sure that you have Use Case Manager installed. Troubleshooting This application is provided as-is. You can provide any suggestions how to make it better and request professional services support for Sysmon configuration and troubleshooting at 2021 ScienceSoft Page 12 from 43

13 Appendix A: Release notes Initial version 2021 ScienceSoft Page 13 from 43

14 Appendix B: Custom Properties Several custom properties are provided to enhance Sysmon events normalization. The custom properties listed below will be installed automatically along with the application. Name Description Regex Target User Name Default custom extraction of Target User Target.*?Account Machine ID Name Default from custom DSM extraction payload. of Machine ID. Name[\:\\\=\s]+(.*?)\s+(?:Account Computer=([^\s]+) Sysmon Rule Name from Name DSM of rule payload. that triggered the event. RuleName:\s+(.+)\s+Utc 2021 ScienceSoft Page 14 from 43

15 Appendix C: Custom Rules Complete list of rules provided with application: Rule Name Logic Notes MITRE.WIN.T RULE OS Credential Dumping: Cached Domain Credentials MITRE.WIN.T1007.RULE System Service Discovery MITRE.WIN.T1012.RULE Query Registry any of T1003 Whitelist - any of T1007 Whitelist - any of T1012 <CommandLine name="t " condition="contains">hklm\security\c ACHE</CommandLine> <OriginalFileName name="t1007" condition="contains">loadord</original FileName> <OriginalFileName name="t1007" condition="is">psservice.exe</originalfil ename> <OriginalFileName name="t1012" condition="contains">regsize</originalfi lename> 2021 ScienceSoft Page 15 from 43

16 MITRE.WIN.T RULE Remote Services: Remote Desktop Protocol MITRE.WIN.T RULE Remote Services: Distributed Component Object Model MITRE.WIN.T RULE Remote Services: Windows Remote Management Whitelist - any of T1021 Whitelist - any of T1021 Whitelist - <OriginalFileName name="t1012" condition="is">ru.exe</originalfilename > <TargetObject name="t " condition="is">hklm\software\policie s\microsoft\windows NT\Terminal Services</TargetObject> <TargetObject name="t " condition="is">hklm\software\micros oft\ole</targetobject> 2021 ScienceSoft Page 16 from 43

17 MITRE.WIN.T1027.RULE Obfuscated Files or Information MITRE.WIN.T RULE Boot or Logon Initialization Scripts: Logon Script (Windows) Event ID is any of [1 or 3] any of T1021 Whitelist - any of T1027 Whitelist - any of T1037 <Image name="t " condition="image">winrm.cmd</image> <OriginalFileName name="t " condition="is">wsmprovhost.exe</origin alfilename> In section <NetworkConnect <DestinationPort name="t " condition="is">5986</destinationport> <CommandLine name="t1027" condition="contains">ˆ</commandline> <CommandLine name="t1027" condition="contains">../../</commandli ne> <TargetObject name="t " condition="contains">hkcu\environment \UserInitMprLogonScript</TargetObject> <TargetObject name="t " condition="contains">hkey_current_u SER\Environment "UserInitMprLogonScript"</TargetObject > 2021 ScienceSoft Page 17 from 43

18 MITRE.WIN.T RULE Boot or Logon Initialization Scripts: Startup Items MITRE.WIN.T1040.RULE Network Sniffing MITRE.WIN.T1049.RULE System Network Connections Discovery Whitelist - Event ID is any of [11] any of T1037 Whitelist - any of T1040 Whitelist - Event ID is any of [1 or 3 or 17 or 18] any of T1049 In section <FileCreate <TargetFilename name="t " condition="contains">\startup\</targetfi lename> <OriginalFileName name="t1040" condition="is">pktmon.exe</originalfile Name> <OriginalFileName name="t1049" condition="is">netstat.exe</originalfilen ame> In section <NetworkConnect <Image name="t1049" 2021 ScienceSoft Page 18 from 43

19 MITRE.WIN.T RULE Exfiltration Over Physical Medium: Exfiltration over USB MITRE.WIN.T1053.RULE Scheduled Task/Job Whitelist - Event ID is any of [2003 or 2004 or 2006 or 2010 or 2100 or 2101 or 2105 or 2106] Whitelist - Event ID is any of [1 or 3 or 7 or 11] any of T1053 Whitelist - condition="image">netstat.exe</image> In section <PipeEvent <PipeName name="t1049" condition="begin with">\srvsvc</pipename> No action required. <OriginalFileName name="t1053" condition="contains any">schtasks.exe;sctasks.exe</originalfi lename> <OriginalFileName name="t1053" condition="is">taskeng.exe</originalfile Name> In section <NetworkConnect <Image name="t1053" condition="image">schtasks.exe</image > <Image name="t1053" condition="image">at.exe</image> <Image name="t1053" condition="image">taskeng.exe</image> 2021 ScienceSoft Page 19 from 43

20 In section <ImageLoad <ImageLoaded name="t1053" condition="end with">taskschd.dll</imageloaded> In section <FileCreate <TargetFilename name="t1053" condition="begin with">c:\windows\syswow64\tasks</t argetfilename> <TargetFilename name="t1053" condition="begin with">c:\windows\system32\tasks</tar getfilename> <TargetFilename name="t1053" condition="begin with">c:\windows\tasks\</targetfilena me> MITRE.WIN.T RULE Scheduled Task/Job: At (Windows) MITRE.WIN.T RULE Scheduled Task/Job: Scheduled Task Event ID is any of [106 or 140 or 141 or 4698 or 4700 or 4701] Whitelist - Event ID is any of [106 or 140 or 141 or 4698 or 4700 or 4701] No action required. No action required ScienceSoft Page 20 from 43

21 MITRE.WIN.T RULE Input Capture: Keylogging MITRE.WIN.T RULE Command and Scripting Interpreter: Python MITRE.WIN.T RULE Command and Scripting Interpreter: JavaScript/JScript Whitelist - any of T1056 Whitelist - any of T1059 Whitelist - <TargetObject name="t " condition="contains">\software\micro soft\windows\currentversion\capability AccessManager\ConsentStore\hunmanIn terfacedevice</targetobject> <Image name="t " condition="image">python.exe</image> <Image name="t " condition="image">cscript.exe</image> 2021 ScienceSoft Page 21 from 43

22 MITRE.WIN.T1069.RULE Permission Groups Discovery MITRE.WIN.T RULE Permission Groups Discovery: Local Groups MITRE.WIN.T RULE Permission Groups Discovery: Domain Groups any of T1059 Whitelist - Event ID is any of [3] any of T1069 Whitelist - any of T1069 Whitelist - <Image name="t " condition="image">wscript.exe</image> In section <NetworkConnect <Image name="t1069" condition="image">net1.exe</image> <CommandLine name="t " condition="contains">net localgroup</commandline> 2021 ScienceSoft Page 22 from 43

23 MITRE.WIN.T1070.RULE Indicator Removal on Host MITRE.WIN.T RULE Indicator Removal on Host: Clear Windows s MITRE.WIN.T RULE Indicator Removal on Host: Network Share Connection Removal any of T1069 Whitelist - Event ID is any of [1 or 3] any of T1070 Whitelist - Event ID is any of [1102] Whitelist - <CommandLine name="t " condition="contains">net group /domain</commandline> <OriginalFileName name="t1070" condition="is">wevtutil.exe</originalfile Name> In section <NetworkConnect <Image name="t1070" condition="image">wevtutil.exe</image> No action required ScienceSoft Page 23 from 43

24 MITRE.WIN.T1074.RULE Data Staged MITRE.WIN.T1078.RULE Valid Accounts any of T1070 Whitelist - any of T1074 Whitelist - any of T1078 Whitelist - <CommandLine name="t " condition="contains any">netuse;net1use</commandline> <CommandLine name="t " condition="contains any">\\;delete</commandline> <OriginalFileName name="t1074" condition="is">robocopy.exe</originalfil ename> <OriginalFileName name="t1074" condition="is">xcopy.exe</originalfilena me> <OriginalFileName name="t1078" condition="is">djoin.exe</originalfilena me> 2021 ScienceSoft Page 24 from 43

25 MITRE.WIN.T1082.RULE System Information Discovery MITRE.WIN.T1087.RULE Account Discovery MITRE.WIN.T RULE Account Discovery: Local Account any of T1082 Whitelist - any of T1087 Whitelist - any of T1087 <CommandLine name="t1082" condition="contains any">systeminfo;net config workstation;hostname;ver;set;date /t</commandline> <OriginalFileName name="t1087" condition="is">cmdkey.exe</originalfile Name> <OriginalFileName name="t1087" condition="is">klist.exe</originalfilenam e> <CommandLine name="t " condition="contains any">net user;net localgroup</commandline> 2021 ScienceSoft Page 25 from 43

26 MITRE.WIN.T RULE Account Discovery: Domain Account MITRE.WIN.T RULE Collection: Local Collection MITRE.WIN.T1123.RULE Audio Capture Whitelist - any of T1087 Whitelist - any of T1114 Whitelist - any of T1123 <CommandLine name="t " condition="contains any">net user /domain;net group /domain</commandline> <CommandLine name="t " condition="contains any">\appdata\local\microsoft\outlook; \Documents\Outlook Files</CommandLine> <TargetObject name="t1123" condition="contains">\software\micro soft\windows\currentversion\capability AccessManager\ConsentStore\bluetooth </TargetObject> <TargetObject name="t1123" 2021 ScienceSoft Page 26 from 43

27 MITRE.WIN.T1125.RULE Video Capture MITRE.WIN.T RULE Trusted Developer Utilities Proxy Execution: MSBuild MITRE.WIN.T RULE Office Application Startup: Office Test Whitelist - any of T1125 Whitelist - any of T1127 Whitelist - condition="contains">\software\micro soft\windows\currentversion\capability AccessManager\ConsentStore\micropho ne</targetobject> <TargetObject name="t1125" condition="contains">\software\micro soft\windows\currentversion\capability AccessManager\ConsentStore\webcam</ TargetObject> <OriginalFileName name="t " condition="is">msbuild.exe</originalfile Name> 2021 ScienceSoft Page 27 from 43

28 MITRE.WIN.T1187.RULE Forced Authentication MITRE.WIN.T1200.RULE Hardware Additions MITRE.WIN.T RULE Signed Binary Proxy any of T1137 Whitelist - Event ID is any of [11] any of T1187 Whitelist - Event ID is any of [2003 or 2004 or 2006 or 2010 or 2100 or 2102 or 2101 or 2105 or 2106] Whitelist - <TargetObject name="t " condition="end with">software\microsoft\office test\special\perf</targetobject> In section <FileCreate <TargetFilename name="t1187" condition="end with">.scf</targetfilename> <TargetFilename name="t1187" condition="end with">.lnk</targetfilename> No action required ScienceSoft Page 28 from 43

29 Execution: Compiled HTML File MITRE.WIN.T RULE Signed Binary Proxy Execution: Control Panel MITRE.WIN.T RULE Signed Binary Proxy Execution: CMSTP any of T1218 Whitelist - any of T1218 Whitelist - any of T1218 Whitelist - <Image name="t " condition="image">hh.exe</image> <CommandLine name="t " condition="contains all">rundll32.exe;shell32.dll;control_run DLL</CommandLine> <CommandLine name="t " condition="contains all">control;/name</commandline> <CommandLine name="t " condition="contains all">/ni;/s</commandline> <OriginalFileName name="t " condition="is">cmstp.exe</originalfilen ame> 2021 ScienceSoft Page 29 from 43

30 MITRE.WIN.T RULE Signed Binary Proxy Execution: InstallUtil MITRE.WIN.T RULE Signed Binary Proxy Execution: Msiexec MITRE.WIN.T RULE Signed Binary Proxy Execution: Odbcconf any of T1218 Whitelist - any of T1218 Whitelist - any of T1218 <CommandLine name="t " condition="contains all">/logfile=;/logtoconsole=false;/u</c ommandline> <OriginalFileName name="t " condition="is">installutil.exe</originalfil ename> <Image name="t " condition="image">msiexec.exe</image> <Image name="t " condition="image">odbcconf.exe</image > 2021 ScienceSoft Page 30 from 43

31 MITRE.WIN.T RULE Signed Binary Proxy Execution: Rundll32 MITRE.WIN.T RULE File and Directory Permissions Modification: Windows File and Directory Permissions Modification MITRE.WIN.T1482.RULE Domain Trust Discovery Whitelist - Event ID is any of [3] any of T1218 Whitelist - Event ID is any of [4670] Whitelist - any of T1482 In section <NetworkConnect <Image name="t " condition="image">rundll32.exe</image > No action required. <CommandLine name="t1482" condition="contains all">"c:\windows\system32\nltest.exe" /domain_trusts </CommandLine> <OriginalFileName name="t1482" condition="is">nltestrk.exe</originalfile Name> 2021 ScienceSoft Page 31 from 43

32 MITRE.WIN.T1489.RULE Service Stop MITRE.WIN.T1489.RULE Service Stop [Sysmon] MITRE.WIN.T1490.RULE Inhibit System Recovery Whitelist - Event ID is any of [None] Whitelist - any of T1489 Whitelist - Event ID is any of [524] Whitelist - No action required. <CommandLine name="t1489" condition="contains any">net stop;stop- Service</CommandLine> No action required ScienceSoft Page 32 from 43

33 MITRE.WIN.T1490.RULE Inhibit System Recovery [Sysmon] MITRE.WIN.T1518.RULE Software Discovery MITRE.WIN.T1529.RULE System Shutdown/Reboot any of T1490 Whitelist - any of T1518 Whitelist - Event ID is any of [1074 or 6006] <OriginalFileName name="t1490" condition="is">vassadmin.exe</originalfi lename> <TargetObject name="t1518" condition="contains">software\micros oft\windows\currentversion\app Paths</TargetObject> No action required ScienceSoft Page 33 from 43

34 MITRE.WIN.T RULE Event Triggered Execution: Change Default File Association MITRE.WIN.T RULE Event Triggered Execution: Netsh Helper DLL MITRE.WIN.T RULE Event Triggered Execution: AppCert DLLs Whitelist - any of T1546 Whitelist - any of T1546 Whitelist - any of T1546 <TargetObject name="t " condition="contains">\explorer\fileexts< /TargetObject> <TargetObject name="t " condition="contains">software\micros oft\netsh</targetobject> <TargetObject name="t " condition="begin with">hklm\system\currentcontrolset\ Control\Session Manager\AppCertDlls</TargetObject> 2021 ScienceSoft Page 34 from 43

35 MITRE.WIN.T RULE Event Triggered Execution: Image File Execution Options Injection MITRE.WIN.T RULE Event Triggered Execution: PowerShell Profile MITRE.WIN.T RULE Boot or Logon Autostart Execution: Authentication Package Whitelist - any of T1546 Whitelist - Event ID is any of [11] any of T1546 Whitelist - <TargetObject name="t " condition="begin with">hklm\software\wow6432node \Microsoft\Windows NT\CurrentVersion\Image File Execution Options</TargetObject> <TargetObject name="t " condition="begin with">hklm\software\microsoft\windo ws NT\CurrentVersion\Image File Execution Options</TargetObject> In section <FileCreate <TargetFilename name="t " condition="end with">\profile.ps1</targetfilename> <TargetFilename name="t " condition="end with">_profile.ps1</targetfilename> 2021 ScienceSoft Page 35 from 43

36 MITRE.WIN.T RULE Boot or Logon Autostart Execution: Time Providers MITRE.WIN.T RULE Boot or Logon Autostart Execution: Security Support Provider any of T1547 Whitelist - any of T1547 Whitelist - any of T1547 <TargetObject name="t " condition="begin with">hklm\system\currentcontrolset\ Control\Lsa</TargetObject> <TargetObject name="t " condition="contains">hkey_local_mac HINE\System\CurrentControlSet\Services \W32Time\TimeProviders</TargetObject > <TargetObject name="t " condition="contains">software\micros oft\windows NT\CurrentVersion\Image File Execution Options\LSASS.exe</TargetObject> 2021 ScienceSoft Page 36 from 43

37 MITRE.WIN.T RULE Boot or Logon Autostart Execution: LSASS Driver MITRE.WIN.T RULE Boot or Logon Autostart Execution: Shortcut Modification MITRE.WIN.T RULE Boot or Logon Autostart Execution: Port Monitors Whitelist - any of T1547 Whitelist - Event ID is any of [11] any of T1547 Whitelist - any of T1547 <TargetObject name="t " condition="contains">\currentcontrolset \Services\NTDS\DirectoryServiceExtPt</T argetobject> <TargetObject name="t " condition="contains">\currentcontrolset \Services\NTDS\LsaDbExtPt</TargetObjec t> In section <FileCreate <TargetFilename name="t " condition="contains">\start Menu</TargetFilename> <TargetObject name="t " condition="begin with">hkcu\software\microsoft\wind ows NT\CurrentVersion\Ports</TargetObject> <TargetObject name="t " 2021 ScienceSoft Page 37 from 43

38 MITRE.WIN.T RULE Use Alternate Authentication Material: Pass the Hash MITRE.WIN.T RULE Unsecured Credentials: Credentials In Files MITRE.WIN.T RULE Unsecured Credentials: Credentials in Registry Whitelist - any of T1550 Whitelist - any of T1552 Whitelist - condition="begin with">hklm\software\microsoft\wind ows NT\CurrentVersion\Ports</TargetObject> <TargetObject name="t " condition="contains">software\micros oft\windows\currentversion\policies\sy stem\localaccounttokenfilterpolicy</tar getobject> <OriginalFileName name="t " condition="is">where.exe</originalfilen ame> <OriginalFileName name="t " condition="is">findstr.exe</originalfilen ame> 2021 ScienceSoft Page 38 from 43

39 MITRE.WIN.T RULE Subvert Trust Controls: Install Root Certificate MITRE.WIN.T1556.RULE Modify Authentication Process any of T1552 Whitelist - any of T1553 Whitelist - any of T1556 Whitelist - <CommandLine name="t " condition="contains">/f password /t REG_SZ /s</commandline> <TargetObject name="t " condition="contains">\microsoft\system Certificates\Root\Certificates</TargetObj ect> <TargetObject name="t " condition="begin with">hklm\software\microsoft\enter prisecertificates\root\certificates</targ etobject> <TargetObject name="t1556" condition="contains">\system\currentc ontrolset\control\lsa\notification Packages</TargetObject> 2021 ScienceSoft Page 39 from 43

40 MITRE.WIN.T RULE Modify Authentication Process: Domain Controller Authentication MITRE.WIN.T RULE Modify Authentication Process: Password Filter DLL MITRE.WIN.T RULE Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay Event ID is any of [7] any of T1556 Whitelist - any of T1556 Whitelist - any of T1557 In section <ImageLoad <TargetObject name="t " condition="contains">\system\currentc ontrolset\control\lsa\notification Packages</TargetObject> <TargetObject name="t " condition="contains">\software\policies\ Microsoft\Windows NT\DNSClient</TargetObject> 2021 ScienceSoft Page 40 from 43

41 MITRE.WIN.T RULE Steal or Forge Kerberos Tickets: Golden Ticket MITRE.WIN.T RULE Steal or Forge Kerberos Tickets: Silver Ticket MITRE.WIN.T RULE Steal or Forge Kerberos Tickets: Kerberoasting Whitelist - Event ID is any of [4624 or 4672 or 4634] "Target User Name"!= "Logon Account Name" AQL filter query Whitelist - Event ID is any of [4624 or 4672 or 4634] "Target User Name"!= "Logon Account Name" AQL filter query Whitelist - Event ID is any of 4769 Ticket Encryption Type (custom) No action required. No action required. No action required ScienceSoft Page 41 from 43

42 MITRE.WIN.T RULE Impair Defenses: Disable Windows ging MITRE.WIN.T RULE Remote Service Session Hijacking: RDP Hijacking MITRE.WIN.T RULE Hijack Execution Flow: is any of 0x17 Whitelist - any of T1562 Whitelist - any of T1563 Whitelist - <TargetObject name="t " condition="contains all">registry\machine\system\contro lset001\service\eventlog;maxsize</targ etobject> <TargetObject name="t " condition="contains all">registry\machine\system\contro lset001\service\eventlog;retention</tar getobject> <Image name="t " condition="image">tscon.exe</image> <CommandLine name="t " condition="contains any">cmd.exe /k;cmd.exe /c</commandline> 2021 ScienceSoft Page 42 from 43

43 Services File Permissions Weakness MITRE.WIN.T RULE Hijack Execution Flow: Services Registry Permissions Weakness Event ID is any of [11] any of T1574 Whitelist - any of T1574 Whitelist - In section <FileCreate <TargetFilename name="t " condition="begin with">c:\windows\temp\</targetfilena me> <TargetObject name="t " condition="contains">hklm\system\cur rentcontrolset\services</targetobject> 2021 ScienceSoft Page 43 from 43

Collecting Windows Security Audit Log data with NXLog and Sysmon. Collecting Windows Security Audit Log data with NXLog and Sysmon

Collecting Windows Security Audit Log data with NXLog and Sysmon. Collecting Windows Security Audit Log data with NXLog and Sysmon Collecting Windows Security Audit Log data with NXLog and Sysmon i Collecting Windows Security Audit Log data with NXLog and Sysmon Collecting Windows Security Audit Log data with NXLog and Sysmon ii Contents

More information

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Setting up VMware ESXi for 2X VirtualDesktopServer Manual Setting up VMware ESXi for 2X VirtualDesktopServer Manual URL: www.2x.com E-mail: info@2x.com Information in this document is subject to change without notice. Companies, names, and data used in examples

More information

IBM Security QRadar Version 7.2.2. WinCollect User Guide V7.2.2

IBM Security QRadar Version 7.2.2. WinCollect User Guide V7.2.2 IBM Security QRadar Version 7.2.2 WinCollect User Guide V7.2.2 Note Before using this information and the product that it supports, read the information in Notices on page 47. Product information This

More information

SQL Server 2008 R2 Express Edition Installation Guide

SQL Server 2008 R2 Express Edition Installation Guide Hardware, Software & System Requirements for SQL Server 2008 R2 Express Edition To get the overview of SQL Server 2008 R2 Express Edition, click here. Please refer links given below for all the details

More information

Post-Access Cyber Defense

Post-Access Cyber Defense Post-Access Cyber Defense Dr. Vipin Swarup Chief Scientist, Cyber Security The MITRE Corporation November 2015 Approved for Public Release; Distribution Unlimited. 15-3647. 2 Cyber Security Technical Center

More information

Table of Contents. CHAPTER 1 About This Guide... 9. CHAPTER 2 Introduction... 11. CHAPTER 3 Database Backup and Restoration... 15

Table of Contents. CHAPTER 1 About This Guide... 9. CHAPTER 2 Introduction... 11. CHAPTER 3 Database Backup and Restoration... 15 Table of Contents CHAPTER 1 About This Guide......................... 9 The Installation Guides....................................... 10 CHAPTER 2 Introduction............................ 11 Required

More information

IBM Security QRadar Version 7.1.0 (MR1) WinCollect User Guide

IBM Security QRadar Version 7.1.0 (MR1) WinCollect User Guide IBM Security QRadar Version 7.1.0 (MR1) WinCollect User Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page 59. Copyright

More information

Integrating LANGuardian with Active Directory

Integrating LANGuardian with Active Directory Integrating LANGuardian with Active Directory 01 February 2012 This document describes how to integrate LANGuardian with Microsoft Windows Server and Active Directory. Overview With the optional Identity

More information

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS Notes 1. The installation of STATISTICA Enterprise Small Business entails two parts: a) a server installation, and b)

More information

User guide. Business Email

User guide. Business Email User guide Business Email June 2013 Contents Introduction 3 Logging on to the UC Management Centre User Interface 3 Exchange User Summary 4 Downloading Outlook 5 Outlook Configuration 6 Configuring Outlook

More information

Extreme Networks Security WinCollect User Guide

Extreme Networks Security WinCollect User Guide Extreme Networks Security WinCollect User Guide 9034872 Published July 2015 Copyright 2011 2015 All rights reserved. Legal Notice Extreme Networks, Inc. reserves the right to make changes in specifications

More information

ILTA HANDS ON Securing Windows 7

ILTA HANDS ON Securing Windows 7 Securing Windows 7 8/23/2011 Table of Contents About this lab... 3 About the Laboratory Environment... 4 Lab 1: Restricting Users... 5 Exercise 1. Verify the default rights of users... 5 Exercise 2. Adding

More information

Pearl Echo Installation Checklist

Pearl Echo Installation Checklist Pearl Echo Installation Checklist Use this checklist to enter critical installation and setup information that will be required to install Pearl Echo in your network. For detailed deployment instructions

More information

Installation Instruction STATISTICA Enterprise Small Business

Installation Instruction STATISTICA Enterprise Small Business Installation Instruction STATISTICA Enterprise Small Business Notes: ❶ The installation of STATISTICA Enterprise Small Business entails two parts: a) a server installation, and b) workstation installations

More information

How To Create An Easybelle History Database On A Microsoft Powerbook 2.5.2 (Windows)

How To Create An Easybelle History Database On A Microsoft Powerbook 2.5.2 (Windows) Introduction EASYLABEL 6 has several new features for saving the history of label formats. This history can include information about when label formats were edited and printed. In order to save this history,

More information

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide Sharp Remote Device Manager (SRDM) Server Software Setup Guide This Guide explains how to install the software which is required in order to use Sharp Remote Device Manager (SRDM). SRDM is a web-based

More information

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION Version 1.1 / Last updated November 2012 INTRODUCTION The Cloud Link for Windows client software is packaged as an MSI (Microsoft Installer)

More information

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION Contents 1. Getting Started... 4 1.1 Specops Deploy Supported Configurations... 4 2. Specops Deploy and Active Directory...5 3. Specops Deploy

More information

Active Directory Management. Agent Deployment Guide

Active Directory Management. Agent Deployment Guide Active Directory Management Agent Deployment Guide Document Revision Date: April 26, 2013 Active Directory Management Deployment Guide i Contents System Requirements... 1 Hardware Requirements... 2 Agent

More information

Cloud Services ADM. Agent Deployment Guide

Cloud Services ADM. Agent Deployment Guide Cloud Services ADM Agent Deployment Guide 10/15/2014 CONTENTS System Requirements... 1 Hardware Requirements... 1 Installation... 2 SQL Connection... 4 AD Mgmt Agent... 5 MMC... 7 Service... 8 License

More information

User Guide. Version R91. English

User Guide. Version R91. English AuthAnvil User Guide Version R91 English August 25, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated from

More information

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012.

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012. Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC-110-2-029, revision 2.029, May 2012. Copyright 1995-2012 Lenel Systems International, Inc. Information

More information

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link: TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link: ftp://ftp.software.ibm.com/storage/tivoli-storagemanagement/maintenance/client/v6r2/windows/x32/v623/

More information

4cast Client Specification and Installation

4cast Client Specification and Installation 4cast Client Specification and Installation Version 2015.00 10 November 2014 Innovative Solutions for Education Management www.drakelane.co.uk System requirements The client requires Administrative rights

More information

Portions of this product were created using LEADTOOLS 1991-2009 LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Portions of this product were created using LEADTOOLS 1991-2009 LEAD Technologies, Inc. ALL RIGHTS RESERVED. Installation Guide Lenel OnGuard 2009 Installation Guide, product version 6.3. This guide is item number DOC-110, revision 1.038, May 2009 Copyright 1992-2009 Lenel Systems International, Inc. Information

More information

NETWRIX EVENT LOG MANAGER

NETWRIX EVENT LOG MANAGER NETWRIX EVENT LOG MANAGER QUICK-START GUIDE FOR THE ENTERPRISE EDITION Product Version: 4.0 July/2012. Legal Notice The information in this publication is furnished for information use only, and does not

More information

Installation Instruction STATISTICA Enterprise Server

Installation Instruction STATISTICA Enterprise Server Installation Instruction STATISTICA Enterprise Server Notes: ❶ The installation of STATISTICA Enterprise Server entails two parts: a) a server installation, and b) workstation installations on each of

More information

HP Softpaq Download Manager and HP System Software Manager

HP Softpaq Download Manager and HP System Software Manager Technical white paper HP Softpaq Download Manager and HP System Software Manager A Powerful Combination Table of contents Executive summary... 2 Overview of HP SDM and HP SSM... 2 Use case for HP SDM and

More information

RDM+ Desktop for Windows Getting Started Guide

RDM+ Desktop for Windows Getting Started Guide RDM+ Remote Desktop for Mobiles RDM+ Desktop for Windows Getting Started Guide Introduction... 3 1. Installing RDM+ Desktop on a computer... 3 2. Preparing for remote connection... 4 3. RDM+ Desktop window...

More information

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft. . All right reserved. For more information about Specops Deploy and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Deploy is a trademark owned by Specops Software. All

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER Notes: STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER 1. These instructions focus on installation on Windows Terminal Server (WTS), but are applicable

More information

Team Foundation Server 2013 Installation Guide

Team Foundation Server 2013 Installation Guide Team Foundation Server 2013 Installation Guide Page 1 of 164 Team Foundation Server 2013 Installation Guide Benjamin Day benday@benday.com v1.1.0 May 28, 2014 Team Foundation Server 2013 Installation Guide

More information

The safer, easier way to help you pass any IT exams. Exam : 9L0-518. OS X Server Essentials 10.8 Exam. Title : Version : Demo 1 / 6

The safer, easier way to help you pass any IT exams. Exam : 9L0-518. OS X Server Essentials 10.8 Exam. Title : Version : Demo 1 / 6 Exam : 9L0-518 Title : OS X Server Essentials 10.8 Exam Version : Demo 1 / 6 1.In Server app, which procedure will configure OS X Server to let members of a specific group use the Messages service? A.

More information

LT Auditor+ 2013. Windows Assessment SP1 Installation & Configuration Guide

LT Auditor+ 2013. Windows Assessment SP1 Installation & Configuration Guide LT Auditor+ 2013 Windows Assessment SP1 Installation & Configuration Guide Table of Contents CHAPTER 1- OVERVIEW... 3 CHAPTER 2 - INSTALL LT AUDITOR+ WINDOWS ASSESSMENT SP1 COMPONENTS... 4 System Requirements...

More information

Using Protection Engine for Cloud Services for URL Filtering, Malware Protection and Proxy Integration Hands-On Lab

Using Protection Engine for Cloud Services for URL Filtering, Malware Protection and Proxy Integration Hands-On Lab Using Protection Engine for Cloud Services for URL Filtering, Malware Protection and Proxy Integration Hands-On Lab Description In this hands-on session, you will learn how to turn your proxy into a security

More information

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008. Znode Multifront - Installation Guide Version 6.2 1 System Requirements To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server

More information

DESKTOP CLIENT CONFIGURATION GUIDE BUSINESS EMAIL

DESKTOP CLIENT CONFIGURATION GUIDE BUSINESS EMAIL DESKTOP CLIENT CONFIGURATION GUIDE BUSINESS EMAIL Version 2.0 Updated: March 2011 Contents 1. Mac Email Clients... 3 1.1 Configuring Microsoft Outlook 2011... 3 1.2 Configuring Entourage 2008... 4 1.3.

More information

Active Directory Management. Agent Deployment Guide

Active Directory Management. Agent Deployment Guide Active Directory Management Agent Deployment Guide Document Revision Date: June 12, 2014 Active Directory Management Deployment Guide i Contents System Requirements...1 Hardware Requirements...1 Installation...3

More information

Insight Video Net. LLC. CMS 2.0. Quick Installation Guide

Insight Video Net. LLC. CMS 2.0. Quick Installation Guide Insight Video Net. LLC. CMS 2.0 Quick Installation Guide Table of Contents 1. CMS 2.0 Installation 1.1. Software Required 1.2. Create Default Directories 1.3. Create Upload User Account 1.4. Installing

More information

NSi Mobile Installation Guide. Version 6.2

NSi Mobile Installation Guide. Version 6.2 NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...

More information

Case Closed Installation and Setup

Case Closed Installation and Setup 1 Case Closed Installation and Setup Contents Installation Overview...2 Microsoft SQL Server Installation...3 Case Closed Software Installation...5 Register OCX for Printing...6 External Programs...7 Automatic

More information

Avalanche Site Edition

Avalanche Site Edition Avalanche Site Edition Version 4.8 avse ug 48 20090325 Revised 03/20/2009 ii Copyright 2008 by Wavelink Corporation All rights reserved. Wavelink Corporation 6985 South Union Park Avenue, Suite 335 Midvale,

More information

DC Agent Troubleshooting

DC Agent Troubleshooting DC Agent Troubleshooting Topic 50320 DC Agent Troubleshooting Web Security Solutions v7.7.x, 7.8.x 27-Mar-2013 This collection includes the following articles to help you troubleshoot DC Agent installation

More information

ISL Online Integration Manual

ISL Online Integration Manual Contents 2 Table of Contents Foreword Part I Overview Part II 0 3 4... 1 Dow nload and prepare 4... 2 Enable the ex ternal ID column on ISL Conference Prox y 4... 3 Deploy w eb content 5... 4 Add items

More information

DiskPulse DISK CHANGE MONITOR

DiskPulse DISK CHANGE MONITOR DiskPulse DISK CHANGE MONITOR User Manual Version 7.9 Oct 2015 www.diskpulse.com info@flexense.com 1 1 DiskPulse Overview...3 2 DiskPulse Product Versions...5 3 Using Desktop Product Version...6 3.1 Product

More information

IBM WebSphere Application Server Version 7.0

IBM WebSphere Application Server Version 7.0 IBM WebSphere Application Server Version 7.0 Centralized Installation Manager for IBM WebSphere Application Server Network Deployment Version 7.0 Note: Before using this information, be sure to read the

More information

Active Directory Adapter with 64-bit Support Installation and Configuration Guide

Active Directory Adapter with 64-bit Support Installation and Configuration Guide IBM Security Identity Manager Version 6.0 Active Directory Adapter with 64-bit Support Installation and Configuration Guide SC27-4384-02 IBM Security Identity Manager Version 6.0 Active Directory Adapter

More information

DriveLock Quick Start Guide

DriveLock Quick Start Guide Be secure in less than 4 hours CenterTools Software GmbH 2012 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise

More information

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac Making it easy to deploy, integrate and manage Macs, iphones and ipads in a Windows environment. Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac 2011 ENTERPRISE DEVICE

More information

2X ApplicationServer & LoadBalancer Manual

2X ApplicationServer & LoadBalancer Manual 2X ApplicationServer & LoadBalancer Manual 2X ApplicationServer & LoadBalancer Contents 1 URL: www.2x.com E-mail: info@2x.com Information in this document is subject to change without notice. Companies,

More information

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual Setting up Citrix XenServer for 2X VirtualDesktopServer Manual URL: www.2x.com E-mail: info@2x.com Information in this document is subject to change without notice. Companies, names, and data used in examples

More information

To add Citrix XenApp Client Setup for home PC/Office using the 32bit Windows client.

To add Citrix XenApp Client Setup for home PC/Office using the 32bit Windows client. I. PURPOSE To add Citrix XenApp Client Setup for home PC/Office using the 32bit Windows client. II. POLICY: Network Request form must be sent from MIS staff to HCN Hardware Support requesting Citrix XenApp

More information

Ipswitch Client Installation Guide

Ipswitch Client Installation Guide IPSWITCH TECHNICAL BRIEF Ipswitch Client Installation Guide In This Document Installing on a Single Computer... 1 Installing to Multiple End User Computers... 5 Silent Install... 5 Active Directory Group

More information

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V Connection Broker Managing User Connections to Workstations, Blades, VDI, and More Quick Start with Microsoft Hyper-V Version 8.1 October 21, 2015 Contacting Leostream Leostream Corporation http://www.leostream.com

More information

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS Notes: STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS 1. The installation of the STATISTICA Enterprise Server entails two parts: a) a server installation, and b) workstation

More information

Using TS-ACCESS for Remote Desktop Access

Using TS-ACCESS for Remote Desktop Access Using TS-ACCESS for Remote Desktop Access Introduction TS-ACCESS is a remote desktop access feature available to CUA faculty and staff who need to access administrative systems or other computing resources

More information

Thinspace deskcloud. Quick Start Guide

Thinspace deskcloud. Quick Start Guide Thinspace deskcloud Quick Start Guide Version 1.2 Published: SEP-2014 Updated: 16-SEP-2014 2014 Thinspace Technology Ltd. All rights reserved. The information contained in this document represents the

More information

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client. WatchGuard SSL v3.2 Release Notes Supported Devices SSL 100 and 560 WatchGuard SSL OS Build 355419 Revision Date January 28, 2013 Introduction WatchGuard is pleased to announce the release of WatchGuard

More information

SERVER CLOUD DISASTER RECOVERY. User Manual

SERVER CLOUD DISASTER RECOVERY. User Manual SERVER CLOUD DISASTER RECOVERY User Manual 1 Table of Contents 1. INTRODUCTION... 3 2. ACCOUNT SETUP OVERVIEW... 3 3. GETTING STARTED... 6 3.1 Sign up... 6 4. ACCOUNT SETUP... 8 4.1 AWS Cloud Formation

More information

1 Intel Smart Connect Technology Installation Guide:

1 Intel Smart Connect Technology Installation Guide: 1 Intel Smart Connect Technology Installation Guide: 1.1 System Requirements The following are required on a system: System BIOS supporting and enabled for Intel Smart Connect Technology Microsoft* Windows*

More information

WhatsUp Gold v16.3 Installation and Configuration Guide

WhatsUp Gold v16.3 Installation and Configuration Guide WhatsUp Gold v16.3 Installation and Configuration Guide Contents Installing and Configuring WhatsUp Gold using WhatsUp Setup Installation Overview... 1 Overview... 1 Security considerations... 2 Standard

More information

Microsoft Corporation. Project Server 2010 Installation Guide

Microsoft Corporation. Project Server 2010 Installation Guide Microsoft Corporation Project Server 2010 Installation Guide Office Asia Team 11/4/2010 Table of Contents 1. Prepare the Server... 2 1.1 Install KB979917 on Windows Server... 2 1.2 Creating users and groups

More information

Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7

Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7 Symantec PGP Whole Disk Encryption Hands-On Lab V 3.7 Description This hands-on lab session covers the hard drive encryption technologies from PGP. Students will administer a typical Whole Disk Encryption

More information

IBM Connections Plug-In for Microsoft Outlook Installation Help

IBM Connections Plug-In for Microsoft Outlook Installation Help IBM Connections Version 5 IBM Connections Plug-In for Microsoft Outlook Installation Help Edition Notice Note: Before using this information and the product it supports, read the information in "Notices."

More information

Hands on Lab: Building a Virtual Machine and Uploading VM Images to the Cloud using Windows Azure Infrastructure Services

Hands on Lab: Building a Virtual Machine and Uploading VM Images to the Cloud using Windows Azure Infrastructure Services Hands on Lab: Building a Virtual Machine and Uploading VM Images to the Cloud using Windows Azure Infrastructure Services Windows Azure Infrastructure Services provides cloud based storage, virtual networks

More information

Manage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright 2007-2015 Palo Alto Networks

Manage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright 2007-2015 Palo Alto Networks Manage Traps in a VDI Environment Traps Administrator s Guide Version 3.3 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Using Logon Agent for Transparent User Identification

Using Logon Agent for Transparent User Identification Using Logon Agent for Transparent User Identification Websense Logon Agent (also called Authentication Server) identifies users in real time, as they log on to domains. Logon Agent works with the Websense

More information

NovaBACKUP xsp Version 15.0 Upgrade Guide

NovaBACKUP xsp Version 15.0 Upgrade Guide NovaBACKUP xsp Version 15.0 Upgrade Guide NovaStor / November 2013 2013 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications are subject

More information

For Active Directory Installation Guide

For Active Directory Installation Guide For Active Directory Installation Guide Version 2.5.2 April 2010 Copyright 2010 Legal Notices makes no representations or warranties with respect to the contents or use of this documentation, and specifically

More information

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document)

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document) RBackup Server Installation and Setup Instructions and Worksheet Fill out the Installation Worksheet. (In this document) Read and comply with Installation Prerequisites (In this document) Review the Partner

More information

2X ApplicationServer & LoadBalancer Manual

2X ApplicationServer & LoadBalancer Manual 2X ApplicationServer & LoadBalancer Manual 2X ApplicationServer & LoadBalancer Contents 1 URL: www.2x.com E-mail: info@2x.com Information in this document is subject to change without notice. Companies,

More information

Application Server Installation

Application Server Installation Application Server Installation Guide ARGUS Enterprise 11.0 11/25/2015 ARGUS Software An Altus Group Company Application Server Installation ARGUS Enterprise Version 11.0 11/25/2015 Published by: ARGUS

More information

Portions of this product were created using LEADTOOLS 1991-2010 LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Portions of this product were created using LEADTOOLS 1991-2010 LEAD Technologies, Inc. ALL RIGHTS RESERVED. Installation Guide Lenel OnGuard 2010 Installation Guide, product version 6.4. This guide is item number DOC-110, revision 1.045, May 2010 Copyright 1995-2010 Lenel Systems International, Inc. Information

More information

Adaptive Log Exporter Users Guide

Adaptive Log Exporter Users Guide IBM Security QRadar Version 7.1.0 (MR1) Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page page 119. Copyright IBM Corp. 2012,

More information

LepideAuditor Suite for File Server. Installation and Configuration Guide

LepideAuditor Suite for File Server. Installation and Configuration Guide LepideAuditor Suite for File Server Installation and Configuration Guide Table of Contents 1. Introduction... 4 2. Requirements and Prerequisites... 4 2.1 Basic System Requirements... 4 2.2 Supported Servers

More information

QRadar SIEM 7.2 Windows Event Collection Overview

QRadar SIEM 7.2 Windows Event Collection Overview QRadar Open Mic Webcast #3 August 26, 2014 QRadar SIEM 7.2 Windows Event Collection Overview Panelists Aaron Breen QRadar World-wide Support Leader Adam Frank Principal Solutions Architect Jonathan Pechta

More information

BDR for ShadowProtect Solution Guide and Best Practices

BDR for ShadowProtect Solution Guide and Best Practices BDR for ShadowProtect Solution Guide and Best Practices Updated September 2015 - i - Table of Contents Process Overview... 3 1. Assess backup requirements... 4 2. Provision accounts... 4 3. Install ShadowProtect...

More information

User Manual. Version 3.12. connmove GmbH Version: 3.12. www.connmove.de Seite 1 von 33

User Manual. Version 3.12. connmove GmbH Version: 3.12. www.connmove.de Seite 1 von 33 User Manual Version 3.12 connmove GmbH Version: 3.12 www.connmove.de Seite 1 von 33 Table of Contents Introduction... 4 cmwatcher Blog... 4 System Requirements... 4 Architecture Recommendations... 5 Integration

More information

InventoryControl for use with QuoteWerks Quick Start Guide

InventoryControl for use with QuoteWerks Quick Start Guide InventoryControl for use with QuoteWerks Quick Start Guide Copyright 2013 Wasp Barcode Technologies 1400 10 th St. Plano, TX 75074 All Rights Reserved STATEMENTS IN THIS DOCUMENT REGARDING THIRD PARTY

More information

Extreme Networks Security Vulnerability Assessment Configuration Guide

Extreme Networks Security Vulnerability Assessment Configuration Guide Extreme Networks Security Vulnerability Assessment Configuration Guide 9034869 Published July 2015 Copyright 2007 2015 All rights reserved. Legal Notice Extreme Networks, Inc. reserves the right to make

More information

Information Assurance Directorate

Information Assurance Directorate National Security Agency/Central Security Service Information Assurance Directorate Spotting the Adversary with Windows Event Log Monitoring February 28, 2013 A product of the Network Components and Applications

More information

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE Contents Introduction... 3 Step 1 Create Azure Components... 5 Step 1.1 Virtual Network... 5 Step 1.1.1 Virtual Network Details... 6 Step 1.1.2 DNS Servers

More information

Optimization in a Secure Windows Environment

Optimization in a Secure Windows Environment WHITE PAPER Optimization in a Secure Windows Environment A guide to the preparation, configuration and troubleshooting of Riverbed Steelhead appliances for Signed SMB and Encrypted MAPI September 2013

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

CONNECT-TO-CHOP USER GUIDE

CONNECT-TO-CHOP USER GUIDE CONNECT-TO-CHOP USER GUIDE VERSION V8 Table of Contents 1 Overview... 3 2 Requirements... 3 2.1 Security... 3 2.2 Computer... 3 2.3 Application... 3 2.3.1 Web Browser... 3 2.3.2 Prerequisites... 3 3 Logon...

More information

70-685: Enterprise Desktop Support Technician

70-685: Enterprise Desktop Support Technician 70-685: Enterprise Desktop Support Technician Course Introduction Course Introduction Chapter 01 - Identifying Cause and Resolving Desktop Application Issues Identifying Cause and Resolving Desktop Application

More information

Livezilla How to Install on Shared Hosting http://www.jonathanmanning.com By: Jon Manning

Livezilla How to Install on Shared Hosting http://www.jonathanmanning.com By: Jon Manning Livezilla How to Install on Shared Hosting By: Jon Manning This is an easy to follow tutorial on how to install Livezilla 3.2.0.2 live chat program on a linux shared hosting server using cpanel, linux

More information

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Integrating Trend Micro OfficeScan 10 EventTracker v7.x Integrating Trend Micro OfficeScan 10 EventTracker v7.x Publication Date: August 26, 2015 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract This guide will help you in

More information

NovaBACKUP xsp Version 12.2 Upgrade Guide

NovaBACKUP xsp Version 12.2 Upgrade Guide NovaBACKUP xsp Version 12.2 Upgrade Guide NovaStor / August 2011 Rev 20110815 2011 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications

More information

Administering Jive for Outlook

Administering Jive for Outlook Administering Jive for Outlook TOC 2 Contents Administering Jive for Outlook...3 System Requirements...3 Installing the Plugin... 3 Installing the Plugin... 3 Client Installation... 4 Resetting the Binaries...4

More information

Deploying System Center 2012 R2 Configuration Manager

Deploying System Center 2012 R2 Configuration Manager Deploying System Center 2012 R2 Configuration Manager This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

More information

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual 2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual 2X VirtualDesktopServer Contents 1 2X VirtualDesktopServer Contents 2 URL: www.2x.com E-mail: info@2x.com Information in this document

More information

Migrating TimeForce To A New Server

Migrating TimeForce To A New Server Rev. 4/28/14 Migrating TimeForce To A New Server Table of Contents 1. Installation Prerequisites... 2 Required... 2 Recommended... 3 2. Update to a Migration Compatible Version... 3 Determine the Database

More information

SPECOPS DEPLOY / OS 4.6 DOCUMENTATION

SPECOPS DEPLOY / OS 4.6 DOCUMENTATION Technical documentation: SPECOPS DEPLOY / OS 4.6 DOCUMENTATION By Shay Byrne, Product Manager 1 Getting Started... 4 1.1 Specops Deploy / OS Supported Configurations...4 1.2 Specops Deploy and Active Directory...

More information

Advanced Configuration Steps

Advanced Configuration Steps Advanced Configuration Steps After you have downloaded a trial, you can perform the following from the Setup menu in the MaaS360 portal: Configure additional services Configure device enrollment settings

More information

Training Guide: Configuring Windows8 8

Training Guide: Configuring Windows8 8 Training Guide: Configuring Windows8 8 Scott D. Lowe Derek Schauland Rick W. Vanover Introduction System requirements Practice setup instructions Acknowledgments Errata & book support We want to hear from

More information

Advanced Event Viewer Manual

Advanced Event Viewer Manual Advanced Event Viewer Manual Document version: 2.2944.01 Download Advanced Event Viewer at: http://www.advancedeventviewer.com Page 1 Introduction Advanced Event Viewer is an award winning application

More information

Enterprise Vault Installing and Configuring

Enterprise Vault Installing and Configuring Enterprise Vault Installing and Configuring Enterprise Vault 6.0 Legal Notice Copyright 2005 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, VERITAS, the VERITAS Logo, and Enterprise

More information

Virtual Office Remote Installation Guide

Virtual Office Remote Installation Guide Virtual Office Remote Installation Guide Table of Contents VIRTUAL OFFICE REMOTE INSTALLATION GUIDE... 3 UNIVERSAL PRINTER CONFIGURATION INSTRUCTIONS... 12 CHANGING DEFAULT PRINTERS ON LOCAL SYSTEM...

More information