[gerdesj]

"it is unclear how this access was achieved"

Not a good line in a write up like this. Windows does write n store an awful lot of logs by default. However thanks to circular logging with log sizes from the 1990s on critical logs, you can easily lose information.

I can't remember what the defaults are (connects to 2016 AD DC) ... 20Mb for %SystemRoot%\System32\Winevt\Logs\Security.evtx . On a tiddly setup like mine (20 odd users), that will last ... less than a day.

I ship the logs elsewhere for proper evaluation etc but 20Mb? Yes, you can fiddle with the default sizes via group policy and you probably should but 20Mb really is off of the 1990s. OK so all the "core" logs seem to be 20Mb each and there are the rest under /Microsoft/Windows with varying sizes. I probably ought to look at what a PC logs these days - probably the same silly sizes.

[Dylan16807]

My desktop has a 20MB security log that goes back 16 days, which seems like enough. If anything, stop spamming tens to hundreds of duplicate messages when credentials are read or group membership is enumerated.

System has 8 months, application has 10 months, and setup has 26 months.

[gerdesj]

Yes (20Mb), but so do AD DCs which is frankly lazy on MS dev's part. If a DC is such a big deal that it requires rather more cash to buy than a "workstation" edition of Windows, then I'd like to see more attention to detail.

By contrast a Linux box running systemd/journald by default will leave 10% disc space free when logging. That's enough to keep a filesystem honest!

20Mb on a DC - even one for a small site like mine will cycle quite often.

I really recommend that you extend your logs to cover six months or more. It will cost you maybe a gigabyte or 10. Very little these days (my first HD was 20MB, yes: megabytes). However if you need to get some details from the past - very handy.

[msm_]

It's absolutely not enough for APT investigation. Average attacks lengths are in months, infections sometimes span multiple years. Especially since we're talking about a backdoor (ransomware operators tend to move more quickly)

[Dylan16807]

It's not enough for that, but that bar is too high. Unless the logs are very small, you should not be keeping years of them. I still say 20MB is enough for a desktop.

[gerdesj]

Depends on the desktop. Mine does quite a lot of stuff. /var/log is 8.3Gb and the journal is probably a monster.

Your use case is probably different to mine - I'm a security officer for my firm.

[msm_]

Analyses like this are not usually performed by insiders. People that write them are external researchers (in this case, Symantec's) that have limited (or zero) insight into actual logs on the target system. There is some coordination with the attacked organisation, but requesting "please find the attack vector for us" or "just send us all your logs" is out of the question. So, unless the attack is really high profile, sometimes it's easier to just accept that you don't know something.