valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'enrichments_rendering' into 'develop'

Browse Source 
Enrichments rendering

See merge request krakow2600/atomic-threat-coverage!21
This commit is contained in:
Mateusz 2019-02-09 16:09:41 +00:00
commit 29c7b1780a
69 changed files with 1350 additions and 559 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md
View File

@ -1,12 +1,12 @@
| Title | DN_0001_4688_windows_process_creation |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, not including command line. |
| Description | Windows process creation log, not including command line |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>UserSid</li><li>ProcessPid</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>ParentImage</li><li>ParentProcessPid</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>TokenElevationType</li><li>LogonId</li></ul> |
@ -16,37 +16,37 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>

76
Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md
View File

@ -1,13 +1,13 @@
| Title | DN_0002_4688_windows_process_creation_with_commandline |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line. |
| Description | Windows process creation log, including command line |
| Logging Policy | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>UserSid</li><li>ProcessPid</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>CommandLine</li><li>ProcessCommandLine</li><li>ParentProcessPid</li><li>ParentImage</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>TokenElevationType</li><li>LogonId</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>UserSid</li><li>ProcessPid</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>CommandLine</li><li>ProcessCommandLine</li><li>ProcesssCommandLine</li><li>ParentProcessPid</li><li>ParentImage</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>TokenElevationType</li><li>LogonId</li></ul> |
## Log Samples
@ -17,39 +17,39 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:34:57.910980700Z" />
<EventRecordID>3542561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:34:57.910980700Z" />
<EventRecordID>3542561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-540864798-2899685673-3651185163-500</Data>
<Data Name="SubjectUserName">user1</Data>
<Data Name="SubjectDomainName">atc-win-10</Data>
<Data Name="SubjectLogonId">0xcdd96</Data>
<Data Name="NewProcessId">0x12d0</Data>
<Data Name="NewProcessName">C:\Users\user1\Desktop\PSTools\PsExec64.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x21d4</Data>
<Data Name="CommandLine">PsExec64.exe -i -s -d cmd</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-21-540864798-2899685673-3651185163-500</Data>
<Data Name="SubjectUserName">user1</Data>
<Data Name="SubjectDomainName">atc-win-10</Data>
<Data Name="SubjectLogonId">0xcdd96</Data>
<Data Name="NewProcessId">0x12d0</Data>
<Data Name="NewProcessName">C:\Users\user1\Desktop\PSTools\PsExec64.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x21d4</Data>
<Data Name="CommandLine">PsExec64.exe -i -s -d cmd</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
</EventData>
</Event>
```

14
Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md
View File

@ -1,12 +1,12 @@
| Title | DN_0003_1_windows_sysmon_process_creation |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Windows process creation log, including command line. |
| Description | Windows process creation log, including command line |
| Logging Policy | <ul><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Hostname</li><li>Username</li><li>ProcessGuid</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>CommandLine</li><li>LogonGuid</li><li>LogonId</li><li>TerminalSessionid</li><li>IntegrityLevel</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li><li>Image</li><li>ParentImage</li><li>ParentProcessGuid</li><li>ParentProcessId</li><li>ParentProcessName</li><li>ParentCommandLine</li></ul> |
@ -16,7 +16,7 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
@ -32,7 +32,7 @@
<Computer>test.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:08:22.025</Data>
<Data Name="ProcessGuid">{A23EAE89-BD56-5903-0000-0010E9D95E00}</Data>
<Data Name="ProcessId">6228</Data>

16
Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md
View File

@ -1,12 +1,12 @@
| Title | DN_0004_4624_windows_account_logon |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | An account was successfully logged on. |
| Description | An account was successfully logged on |
| Logging Policy | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>LogonGuid</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ThreadID</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li><li>ImpersonationLevel</li><li>RestrictedAdminMode</li><li>TargetOutboundUserName</li><li>TargetOutboundDomainName</li><li>VirtualAccount</li><li>TargetLinkedLogonId</li><li>ElevatedToken</li></ul> |
@ -31,7 +31,7 @@
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security />
</System>
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
@ -60,8 +60,8 @@
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
</EventData>
</Event>
```

14
Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md
View File

@ -1,12 +1,12 @@
| Title | DN_0005_7045_windows_service_insatalled |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A service was installed in the system. |
| Logging Policy | <ul><li>[N](../Logging_Policies/N.md)</li><li>[o](../Logging_Policies/o.md)</li><li>[n](../Logging_Policies/n.md)</li><li>[e](../Logging_Policies/e.md)</li></ul> |
| References | <ul><li>[N](N)</li><li>[o](o)</li><li>[n](n)</li><li>[e](e)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Service Control Manager |
| Description | A service was installed in the system |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[None](None)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Service Control Manager |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>ServiceName</li><li>ImagePath</li><li>ServiceFileName</li><li>ServiceType</li><li>StartType</li><li>AccountName</li><li>UserSid</li><li>Computer</li></ul> |

57
Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md
View File

@ -3,10 +3,10 @@
| Description | Explicit modification of file creation timestamp by a process |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>PreviousCreationUtcTime</li></ul> |
@ -17,32 +17,31 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>2</EventID>
<Version>4</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-10T15:08:56.961102400Z" />
<EventRecordID>6994</EventRecordID>
<Correlation />
<Execution ProcessID="2940" ThreadID="3576" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>2</EventID>
<Version>4</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-07-30T23:26:47.322369100Z" />
<EventRecordID>5256170</EventRecordID>
<Correlation />
<Execution ProcessID="4740" ThreadID="5948" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-10 15:08:56.954</Data>
<Data Name="ProcessGuid">{9683FBB1-8164-5C0E-0000-00104B532800}</Data>
<Data Name="ProcessId">2788</Data>
<Data Name="Image">C:\Users\user1\AppData\Local\Temp\chocolatey\wireshark\2.6.5\Wireshark-win64-2.6.5.exe</Data>
<Data Name="TargetFilename">C:\Program Files\Wireshark\user-guide.chm</Data>
<Data Name="CreationUtcTime">2018-11-28 18:37:08.000</Data>
<Data Name="PreviousCreationUtcTime">2018-12-10 15:08:56.486</Data>
</EventData>
</Event>
<Data Name="UtcTime">2017-07-30 23:26:47.321</Data>
<Data Name="ProcessGuid">{A23EAE89-EF48-5978-0000-00104832B112}</Data>
<Data Name="ProcessId">25968</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
<Data Name="TargetFilename">C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp</Data>
<Data Name="CreationUtcTime">2016-11-25 18:21:47.692</Data>
<Data Name="PreviousCreationUtcTime">2017-07-30 23:26:47.317</Data>
</EventData>
</Event>
```

77
Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md
View File

@ -3,10 +3,10 @@
| Description | TCP/UDP connections made by a process |
| Logging Policy | <ul><li>[LP_0005_windows_sysmon_network_connection](../Logging_Policies/LP_0005_windows_sysmon_network_connection.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>User</li><li>Protocol</li><li>Initiated</li><li>SourceIsIpv6</li><li>SourceIp</li><li>SourceHostname</li><li>SourcePort</li><li>SourcePortName</li><li>DestinationIsIpv6</li><li>DestinationIp</li><li>DestinationHostname</li><li>DestinationPort</li><li>DestinationPortName</li></ul> |
@ -17,42 +17,41 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:29.384924000Z" />
<EventRecordID>16000</EventRecordID>
<Correlation />
<Execution ProcessID="1828" ThreadID="2764" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>ATC-WIN-7.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" />
<EventRecordID>10953</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3976" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:17.411</Data>
<Data Name="ProcessGuid">{A96EFBF1-A8C9-5C59-0000-0010D274D300}</Data>
<Data Name="ProcessId">3900</Data>
<Data Name="Image">C:\Users\user1\Desktop\SysinternalsSuite\PsExec.exe</Data>
<Data Name="User">ATC-WIN-7\user1</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">10.0.0.111</Data>
<Data Name="SourceHostname">ATC-WIN-7.atc.local</Data>
<Data Name="SourcePort">49603</Data>
<Data Name="SourcePortName" />
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">10.0.0.103</Data>
<Data Name="DestinationHostname">ATC-WIN-10</Data>
<Data Name="DestinationPort">135</Data>
<Data Name="DestinationPortName">epmap</Data>
</EventData>
</Event>
<Data Name="UtcTime">2017-04-28 22:12:22.557</Data>
<Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
<Data Name="ProcessId">13220</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
<Data Name="User">LAB\rsmith</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">192.168.1.250</Data>
<Data Name="SourceHostname">rfsH.lab.local</Data>
<Data Name="SourcePort">3328</Data>
<Data Name="SourcePortName"></Data>
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">104.130.229.150</Data>
<Data Name="DestinationHostname"></Data>
<Data Name="DestinationPort">443</Data>
<Data Name="DestinationPortName">https</Data>
</EventData>
</Event>
```

52
Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md
View File

@ -1,12 +1,12 @@
| Title | DN_0007_windows_sysmon_sysmon_service_state_changed_4 |
| Title | DN_0008_4_windows_sysmon_sysmon_service_state_changed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Sysmon service changed status |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>State</li></ul> |
@ -17,28 +17,28 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:11:20.289486200Z" />
<EventRecordID>45818</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:52:20.883759300Z" />
<EventRecordID>16761</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3220" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2019-02-05 13:11:20.281</Data>
<Data Name="State">Started</Data>
<Data Name="Version">8.00</Data>
<Data Name="SchemaVersion">4.10</Data>
</EventData>
</Event>
<Data Name="UtcTime">2017-04-28 22:52:20.883</Data>
<Data Name="State">Stopped</Data>
<Data Name="Version">6.01</Data>
<Data Name="SchemaVersion">3.30</Data>
</EventData>
</Event>
```

51
Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md
View File

@ -3,10 +3,10 @@
| Description | Process has been terminated |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li></ul> |
@ -17,29 +17,28 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:38.833314100Z" />
<EventRecordID>57994</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:13:20.896253900Z" />
<EventRecordID>11235</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:38.821</Data>
<Data Name="ProcessGuid">{9683FBB1-A8D6-5C59-0000-001009797000}</Data>
<Data Name="ProcessId">2440</Data>
<Data Name="Image">C:\Windows\PSEXESVC.exe</Data>
</EventData>
</Event>
<Data Name="UtcTime">2017-04-28 22:13:20.895</Data>
<Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-001009665D00}</Data>
<Data Name="ProcessId">12684</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
</EventData>
</Event>
```

58
Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md
View File

@ -1,12 +1,12 @@
| Title | DN_0010_6_windows_sysmon_driver_loaded |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information |
| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ImageLoaded</li><li>Hashes</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
@ -17,31 +17,31 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
```

16
Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md
View File

@ -1,12 +1,12 @@
| Title | DN_0011_7_windows_sysmon_image_loaded |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The image loaded event logs when a module is loaded in a specific process. |
| Description | The image loaded event logs when a module is loaded in a specific process |
| Logging Policy | <ul><li>[LP_0006_windows_sysmon_image_loaded](../Logging_Policies/LP_0006_windows_sysmon_image_loaded.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>ImageLoaded</li><li>Hashes</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
@ -16,7 +16,7 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
@ -32,7 +32,7 @@
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
<Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
<Data Name="ProcessId">12536</Data>
@ -43,7 +43,7 @@
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
</Event>
```

62
Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md
View File

@ -1,12 +1,12 @@
| Title | DN_0012_8_windows_sysmon_CreateRemoteThread |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The CreateRemoteThread event detects when a process creates a thread in another process. |
| Description | The CreateRemoteThread event detects when a process creates a thread in another process |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>SourceProcessGuid</li><li>SourceProcessId</li><li>SourceImage</li><li>TargetProcessGuid</li><li>TargetProcessId</li><li>TargetImage</li><li>NewThreadId</li><li>StartAddress</li><li>StartModule</li><li>StartFunction</li></ul> |
@ -16,34 +16,34 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
</EventData>
</Event>

16
Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md
View File

@ -1,12 +1,12 @@
| Title | DN_0013_9_windows_sysmon_RawAccessRead |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. |
| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>Device</li></ul> |
@ -16,7 +16,7 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>9</EventID>
<Version>2</Version>
@ -32,14 +32,14 @@
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
<Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>
</Event>
```

16
Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md
View File

@ -1,12 +1,12 @@
| Title | DN_0014_10_windows_sysmon_ProcessAccess |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process. |
| Description | The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process |
| Logging Policy | <ul><li>[LP_0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP_0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>SourceProcessGUID</li><li>SourceProcessId</li><li>SourceThreadId</li><li>SourceImage</li><li>TargetProcessGUID</li><li>TargetProcessId</li><li>TargetImage</li><li>GrantedAccess</li><li>CallTrace</li></ul> |
@ -16,7 +16,7 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>10</EventID>
<Version>3</Version>
@ -32,7 +32,7 @@
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 14:28:35.212</Data>
<Data Name="SourceProcessGUID">{9683FBB1-B470-5C51-0000-0010521EBB00}</Data>
@ -45,7 +45,7 @@
<Data Name="GrantedAccess">0x1010</Data>
<Data Name="CallTrace">C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471</Data>
</EventData>
</Event>
</Event>
```

16
Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md
View File

@ -1,12 +1,12 @@
| Title | DN_0015_11_windows_sysmon_FileCreate |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection. |
| Description | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection |
| Logging Policy | <ul><li>[LP_0008_windows_sysmon_FileCreate](../Logging_Policies/LP_0008_windows_sysmon_FileCreate.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li></ul> |
@ -16,7 +16,7 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
@ -32,7 +32,7 @@
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 15:08:51.287</Data>
<Data Name="ProcessGuid">{9683FBB1-9A3F-5C51-0000-0010EB030000}</Data>
@ -41,7 +41,7 @@
<Data Name="TargetFilename">C:\Windows\PSEXESVC.exe</Data>
<Data Name="CreationUtcTime">2019-01-30 15:08:51.287</Data>
</EventData>
</Event>
</Event>
```

16
Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0016_12_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications. |
| Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li></ul> |
@ -16,7 +16,7 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
@ -32,7 +32,7 @@
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">DeleteKey</Data>
<Data Name="UtcTime">2019-01-30 17:05:28.023</Data>
@ -41,7 +41,7 @@
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data>
</EventData>
</Event>
</Event>
```

16
Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0016_13_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD. |
| Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>Details</li></ul> |
@ -16,7 +16,7 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
@ -32,7 +32,7 @@
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2019-01-30 17:06:11.673</Data>
@ -42,7 +42,7 @@
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1</Data>
<Data Name="Details">C:\Program Files\Sublime Text 3\sublime_text.exe</Data>
</EventData>
</Event>
</Event>
```

60
Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0018_14_windows_sysmon_RegistryEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed. |
| Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>Details</li></ul> |
@ -16,33 +16,33 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
</EventData>
</Event>
</Event>
```

60
Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md
View File

@ -1,12 +1,12 @@
| Title | DN_0019_15_windows_sysmon_FileCreateStreamHash |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. |
| Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>Hash</li></ul> |
@ -17,32 +17,32 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>
```

56
Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0020_17_windows_sysmon_PipeEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication. |
| Description | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication |
| Logging Policy | <ul><li>[LP_0009_windows_sysmon_PipeEvent](../Logging_Policies/LP_0009_windows_sysmon_PipeEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
@ -17,30 +17,30 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.396695400Z" />
<EventRecordID>46617</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.396695400Z" />
<EventRecordID>46617</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.396</Data>
<Data Name="ProcessGuid">{9683FBB1-919E-5C59-0000-0010A0E53B00}</Data>
<Data Name="ProcessId">7128</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">C:\windows\PSEXESVC.exe</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.396</Data>
<Data Name="ProcessGuid">{9683FBB1-919E-5C59-0000-0010A0E53B00}</Data>
<Data Name="ProcessId">7128</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">C:\windows\PSEXESVC.exe</Data>
</EventData>
</Event>
```

10
Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0021_18_windows_sysmon_PipeEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs when a named pipe connection is made between a client and a server. |
| Description | This event logs when a named pipe connection is made between a client and a server |
| Logging Policy | <ul><li>[LP_0009_windows_sysmon_PipeEvent](../Logging_Policies/LP_0009_windows_sysmon_PipeEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |

60
Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0022_19_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression. |
| Description | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression |
| Logging Policy | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>Operation</li><li>User</li><li>EventNamespace</li><li>Name</li><li>Query</li></ul> |
@ -17,32 +17,32 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>
```

60
Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0023_20_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | This event logs the registration of WMI consumers, recording the consumer name, log, and destination. |
| Description | This event logs the registration of WMI consumers, recording the consumer name, log, and destination |
| Logging Policy | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>Operation</li><li>User</li><li>Name</li><li>Type</li><li>Destination</li></ul> |
@ -17,32 +17,32 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>
```

58
Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md
View File

@ -1,12 +1,12 @@
| Title | DN_0024_21_windows_sysmon_WmiEvent |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | When a consumer binds to a filter, this event logs the consumer name and filter path. |
| Description | When a consumer binds to a filter, this event logs the consumer name and filter path |
| Logging Policy | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| References | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Platform | Windows |
| Type | Windows Log |
| Channel | Microsoft-Windows-Sysmon/Operational |
| Provider | Microsoft-Windows-Sysmon |
| Fields | <ul><li>EventID</li><li>Computer</li><li>EventType</li><li>UtcTime</li><li>Operation</li><li>User</li><li>Consumer</li><li>Filter</li></ul> |
@ -17,31 +17,31 @@
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>
```

58
Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md Normal file
View File

@ -0,0 +1,58 @@
| Title | DN_0026_5136_windows_directory_service_object_was_modified |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A directory service object was modified |
| Logging Policy | <ul><li>[LP_0025_windows_audit_directory_service_changes](../Logging_Policies/LP_0025_windows_audit_directory_service_changes.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>OpCorrelationID</li><li>AppCorrelationID</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>DSName</li><li>DSType</li><li>ObjectDN</li><li>ObjectGUID</li><li>ObjectClass</li><li>AttributeLDAPDisplayName</li><li>AttributeSyntaxOID</li><li>AttributeValue</li><li>OperationType</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>
```

69
Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md Normal file
View File

@ -0,0 +1,69 @@
| Title | DN_0027_4738_user_account_was_changed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | User object is changed |
| Logging Policy | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>DisplayName</li><li>UserPrincipalName</li><li>HomeDirectory</li><li>HomePath</li><li>ScriptPath</li><li>ProfilePath</li><li>UserWorkstations</li><li>PasswordLastSet</li><li>AccountExpires</li><li>PrimaryGroupId</li><li>AllowedToDelegateTo</li><li>OldUacValue</li><li>NewUacValue</li><li>UserAccountControl</li><li>UserParameters</li><li>SidHistory</li><li>LogonHours</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
```

49
Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md Normal file
View File

@ -0,0 +1,49 @@
| Title | DN_0028_directory_services_restore_mode_admin_password_set_4794 |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Directory Services Restore Mode (DSRM) administrator password is changed |
| Logging Policy | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>Workstation</li><li>Status</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
```

59
Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md Normal file
View File

@ -0,0 +1,59 @@
| Title | DN_0029_4661_handle_to_an_object_was_requested |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | A handle was requested for either an Active Directory object or a Security Account Manager (SAM) object |
| Logging Policy | <ul><li>[LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)</li><li>[LP_0028_windows_audit_sam](../Logging_Policies/LP_0028_windows_audit_sam.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>TransactionId</li><li>AccessList</li><li>AccessMask</li><li>PrivilegeList</li><li>Properties</li><li>RestrictedSidCount</li><li>ProcessId</li><li>ProcessName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data>
</EventData>
</Event>
```

57
Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md Normal file
View File

@ -0,0 +1,57 @@
| Title | DN_0030_4662_operation_was_performed_on_an_object |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | An operation was performed on an Active Directory object |
| Logging Policy | <ul><li>[LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>OperationType</li><li>HandleId</li><li>AccessList</li><li>AccessMask</li><li>Properties</li><li>AdditionalInfo</li><li>AdditionalInfo2</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
```

46
Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md Normal file
View File

@ -0,0 +1,46 @@
| Title | DN_0031_7036_service_started_stopped |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Service entered the running/stopped state |
| Logging Policy | <ul><li>[None](../Logging_Policies/None.md)</li></ul> |
| References | <ul><li>[http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm](http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | System |
| Provider | Service Control Manager |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>param1</li><li>param2</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
- <System>
<Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/>
<EventID Qualifiers='16384'>7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime='2019-01-12T16:00:11.920020600Z'/>
<EventRecordID>41452</EventRecordID>
<Correlation/>
<Execution ProcessID='692' ThreadID='828'/>
<Channel>System</Channel>
<Computer>EC2AMAZ-D6OFVS8</Computer>
<Security/>
</System>
- <EventData>
<Data Name='param1'>Device Install Service</Data>
<Data Name='param2'>running</Data>
<Binary>44006500760069006300650049006E007300740061006C006C002F0034000000</Binary>
</EventData>
</Event>
```

56
Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md Normal file
View File

@ -0,0 +1,56 @@
| Title | DN_0032_5145_network_share_object_was_accessed_detailed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName |
| Logging Policy | <ul><li>[LP_0029_windows_audit_detailed_file_share](../Logging_Policies/LP_0029_windows_audit_detailed_file_share.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>RelativeTargetName</li><li>AccessMask</li><li>AccessList</li><li>AccessReason</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>
```

54
Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md Normal file
View File

@ -0,0 +1,54 @@
| Title | DN_0033_5140_network_share_object_was_accessed |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Network share object (file or folder) was accessed |
| Logging Policy | <ul><li>[LP_0030_windows_audit_file_share](../Logging_Policies/LP_0030_windows_audit_file_share.md)</li></ul> |
| References | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md)</li></ul> |
| Platform | Windows |
| Type | Windows Log |
| Channel | Security |
| Provider | Microsoft-Windows-Security-Auditing |
| Fields | <ul><li>EventID</li><li>ProcessID</li><li>ThreadID</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>AccessMask</li><li>AccessList</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>
```

36
Atomic_Threat_Coverage/Enrichments/EN_0001_cache_sysmon_event_id_1_info.md Normal file
View File

@ -0,0 +1,36 @@
| Title | EN_0001_cache_sysmon_event_id_1_info |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Cache Sysmon Event ID 1 (Process Create) data for further enrichments. |
| Data Needed |<ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data to enrich | None |
| References |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
| Author | Teymur Kheirkhabarov |
| Requirements | None |
| New fields | None |
### Config
We can use Logstash to cache data in Memcached.
Here is the config example:
```
filter {
# Building information block for caching:
if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 {
mutate {
add_field => {
"[@metadata][processinfo]" => "IntegrityLevel=%{[event_data][IntegrityLevel]},User=%{[event_data][User]},CommandLine=${[event_data][CommandLine]},ParentImage=%{[event_data][ParentImage]}"
}
}
# Saving previously built information block in cache (key is concatenation of ProcessGuid and computer_name):
memcached {
hosts => ["127.0.0.1:11211"]
set => {
"[@metadata][processinfo]" => "%{computer_name}_{[event_data][ProcessGuid]}"
}
ttl => 86400 # 24 hours
}
}
}
```

46
Atomic_Threat_Coverage/Enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.md Normal file
View File

@ -0,0 +1,46 @@
| Title | EN_0002_enrich_sysmon_event_id_1_with_parent_info |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Enrich Sysmon Event ID 1 (Process Create) with Parent Integrity Level, Parent User and Parent of Parent Image fields. |
| Data Needed |<ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data to enrich |<ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| References |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
| Author | Teymur Kheirkhabarov |
| Requirements |<ul><li>[EN_0001_cache_sysmon_event_id_1_info](../Enrichments/EN_0001_cache_sysmon_event_id_1_info.md)</li></ul>> |
| New fields |<ul><li>event_data.ParentIntegrityLevel</li><li>event_data.ParentUser</li><li>event_data.ParentOfParentImage</li><li>ParentIntegrityLevel</li><li>ParentUser</li><li>ParentOfParentImage</li></ul> |
### Config
We can use Logstash to enrich Sysmon Event ID 1 with data cached in Memcached.
Here is the config example:
```
filter {
# Get previously cached information about parent process from cache to enrich process creation events (event id 1)
if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 and [event_data][ParentProcessGuid] {
# Enrich event with additional information about process
memcached {
# get info from cache
hosts => ["127.0.0.1:11211"]
get => {
"%{computer_name}_%{[event_data][ParentProcessGuid]}" => "[@metadata][processinfo]"
}
}
if [@metadata][processinfo] {
kv {
source => "[@metadata][processinfo]"
target => "[@metadata][processinfo]"
field_split => ","
value_split => "="
}
if [@metadata][processinfo][ParentImage] {
mutate {
add_field => { "[event_data][ParentIntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" }
add_field => { "[event_data][ParentUser]" => "%{[@metadata][processinfo][User]}" }
add_field => { "[event_data][ParentOfParentImage]" => "%{[@metadata][processinfo][ParentImage]}" }
}
}
}
}
}
```

60
Atomic_Threat_Coverage/Enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.md Normal file
View File

@ -0,0 +1,60 @@
| Title | EN_0003_enrich_other_sysmon_events_with_event_id_1_data |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Enrich other Sysmon Events with data from Events ID 1 (Process Create) — Integrity Level, User, Parent Image and CommandLine fields. |
| Data Needed |<ul><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| Data to enrich |<ul><li>[DN_0006_2_windows_sysmon_process_changed_a_file_creation_time](../Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md)</li><li>[DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)</li><li>[DN_0009_5_windows_sysmon_process_terminated](../Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md)</li><li>[DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)</li><li>[DN_0013_9_windows_sysmon_RawAccessRead](../Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md)</li><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li><li>[DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)</li><li>[DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)</li><li>[DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)</li><li>[DN_0019_15_windows_sysmon_FileCreateStreamHash](../Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md)</li><li>[DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)</li><li>[DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)</li></ul> |
| References |<ul><li>[https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)</li></ul> |
| Author | Teymur Kheirkhabarov |
| Requirements |<ul><li>[EN_0001_cache_sysmon_event_id_1_info](../Enrichments/EN_0001_cache_sysmon_event_id_1_info.md)</li></ul>> |
| New fields |<ul><li>event_data.IntegrityLevel</li><li>event_data.User</li><li>event_data.CommandLine</li><li>event_data.ParentImage</li><li>IntegrityLevel</li><li>User</li><li>CommandLine</li><li>ParentImage</li></ul> |
### Config
We can use Logstash to enrich other Sysmon Events with data from Sysmon Event ID 1, cached in Memcached.
Here is the config example:
```
filter {
# Add additional information from cache, that is available only in Process Creation event (User, IL...)
if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] != 1 and [event_data][ProcessGuid] {
# Enrich event with additional information about process
memcached {
# get info from cache
hosts => ["127.0.0.1:11211"]
get => {
"%{computer_name}_%{[event_data][ProcessGuid]}" => "[@metadata][processinfo]"
}
}
if [@metadata][processinfo] {
kv {
source => "[@metadata][processinfo]"
target => "[@metadata][processinfo]"
field_split => ","
value_split => "="
}
# Enrich event
if [@metadata][processinfo][IntegrityLevel] {
mutate {
add_field => { "[event_data][IntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" }
}
}
if [@metadata][processinfo][User] {
mutate {
add_field => { "[event_data][User]" => "%{[@metadata][processinfo][User]}" }
}
}
if [@metadata][processinfo][CommandLine] {
mutate {
add_field => { "[event_data][CommandLine]" => "%{[@metadata][processinfo][CommandLine]}" }
}
}
if [@metadata][processinfo][ParentImage] {
mutate {
add_field => { "[event_data][ParentImage]" => "%{[@metadata][processinfo][ParentImage]}" }
}
}
}
}
}
```

4
Atomic_Threat_Coverage/Response_Actions/RA_0005_identification_find_all_phising_attack_victims.md
View File

@ -4,10 +4,10 @@
| Automation |<ul><li>thehive</li></ul> |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Aggregated Response Action for identification of all potential victims of the phishing attack |
| Linked Response Actions |<ul><li>[RA_0026_identification_find_emails_opened](../Response_Actions/RA_0026_identification_find_emails_opened.md)</li><li>[RA_0030_identification_find_all_hosts_communicated_with_domain](../Response_Actions/RA_0030_identification_find_all_hosts_communicated_with_domain.md)</li><li>[RA_0031_identification_find_all_hosts_communicated_with_ip](../Response_Actions/RA_0031_identification_find_all_hosts_communicated_with_ip.md)</li><li>[RA_0032_identification_find_all_hosts_communicated_with_url](../Response_Actions/RA_0032_identification_find_all_hosts_communicated_with_url.md)</li><li>[RA_0033_identification_find_files_created](../Response_Actions/RA_0033_identification_find_files_created.md)</li><li>[RA_0034_identification_find_all_victims_in_security_alerts](../Response_Actions/RA_0034_identification_find_all_victims_in_security_alerts.md)</li></ul> |
| Linked Analytics |<ul><li>test</li><li>test2</li></ul> |
| Linked Analytics | None |
### Workflow

2
Atomic_Threat_Coverage/Response_Actions/RA_0007_containment_block_ip_on_border_firewall.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Block ip address on border firewall. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_firewall</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0009_containment_block_url_on_proxy.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Block url on Proxy server. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_proxy_server</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0010_eradication_delete_malicious_emails.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Delete malicious emails from Email Server and users' email boxes. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_email_server</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0028_containment_block_threat_on_network_level.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Aggregated Response Action for blocking threats on Network Level. |
| Linked Response Actions |<ul><li>[RA_0006_containment_block_domain_on_email](../Response_Actions/RA_0006_containment_block_domain_on_email.md)</li><li>[RA_0009_containment_block_url_on_proxy](../Response_Actions/RA_0009_containment_block_url_on_proxy.md)</li><li>[RA_0007_containment_block_ip_on_border_firewall](../Response_Actions/RA_0007_containment_block_ip_on_border_firewall.md)</li><li>[RA_0008_containment_block_domain_on_dns](../Response_Actions/RA_0008_containment_block_domain_on_dns.md)</li><li>[RA_0009_containment_block_url_on_proxy](../Response_Actions/RA_0009_containment_block_url_on_proxy.md)</li></ul> |
| Linked Analytics | None |

2
Atomic_Threat_Coverage/Response_Actions/RA_0035_containment_block_domain_on_ips.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Block domain on IPS. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_ips</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0036_containment_block_domain_on_ngfw.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Block domain on NGFW. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_ngfw</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0037_containment_block_ip_on_ips.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Block ip on IPS. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_ips</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0038_containment_block_ip_on_ngfw.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Block ip on NGFW. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_ngfw</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0039_containment_block_url_on_ngfw.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Block URL on NGFW. |
| Linked Response Actions | None |
| Linked Analytics |<ul><li>MS_ngfw</li></ul> |

2
Atomic_Threat_Coverage/Response_Actions/RA_0040_identification_put_on_monitoring_compromised_accounts.md
View File

@ -4,7 +4,7 @@
| Automation | None |
| Author | Daniil Yugoslavskiy |
| Creation Date | 31.01.2019 |
| References | None</ul> |
| References | None |
| Description | Put (potentially) compromised accounts on monitoring |
| Linked Response Actions | None |
| Linked Analytics | None |

8
Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md
View File

@ -1,9 +1,9 @@
| Title | RP_0001_phishing_email |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | Response playbook for Phishing Email case. |
| ATT&amp;CK Tactic |<ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul></ul> |
| ATT&amp;CK Technique |<ul><li>[T1193](https://attack.mitre.org/tactics/T1193)</li><li>[T1192](https://attack.mitre.org/tactics/T1192)</li></ul></ul> |
| Tags |<ul><li>phishinng</li></ul></ul> |
| ATT&amp;CK Tactic |<ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul> |
| ATT&amp;CK Technique |<ul><li>[T1193](https://attack.mitre.org/tactics/T1193)</li><li>[T1192](https://attack.mitre.org/tactics/T1192)</li></ul> |
| Tags |<ul><li>phishinng</li></ul> |
| Severity | M |
| TLP | AMBER |
| PAP | WHITE |
@ -12,7 +12,7 @@
| Identification |<ul><li>[RA_0001_identification_get_original_email](../Response_Actions/RA_0001_identification_get_original_email.md)</li><li>[RA_0002_identification_extract_observables_from_email](../Response_Actions/RA_0002_identification_extract_observables_from_email.md)</li><li>[RA_0003_identification_make_sure_email_is_a_phising](../Response_Actions/RA_0003_identification_make_sure_email_is_a_phising.md)</li><li>[RA_0004_identification_analyse_obtained_indicators_of_compromise](../Response_Actions/RA_0004_identification_analyse_obtained_indicators_of_compromise.md)</li><li>[RA_0005_identification_find_all_phising_attack_victims](../Response_Actions/RA_0005_identification_find_all_phising_attack_victims.md)</li><li>[RA_0040_identification_put_on_monitoring_compromised_accounts](../Response_Actions/RA_0040_identification_put_on_monitoring_compromised_accounts.md)</li></ul> |
| Containment |<ul><li>[RA_0006_containment_block_domain_on_email](../Response_Actions/RA_0006_containment_block_domain_on_email.md)</li><li>[RA_0028_containment_block_threat_on_network_level](../Response_Actions/RA_0028_containment_block_threat_on_network_level.md)</li></ul> |
| Eradication |<ul><li>[RA_0010_eradication_delete_malicious_emails](../Response_Actions/RA_0010_eradication_delete_malicious_emails.md)</li><li>[RA_0011_eradication_revoke_compromised_credentials](../Response_Actions/RA_0011_eradication_revoke_compromised_credentials.md)</li><li>[RA_0012_eradication_report_phishing_attack_to_external_companies](../Response_Actions/RA_0012_eradication_report_phishing_attack_to_external_companies.md)</li></ul> |
| Recovery | None</ul> |
| Recovery | None |
| Lessons Learned |<ul><li>[RA_0013_lessons_learned_develop_incident_report](../Response_Actions/RA_0013_lessons_learned_develop_incident_report.md)</li><li>[RA_0014_lessons_learned_conduct_lessons_learned_exercise](../Response_Actions/RA_0014_lessons_learned_conduct_lessons_learned_exercise.md)</li></ul> |
### Workflow

6
dataneeded/DN_0005_7045_windows_service_insatalled.yml
View File

@ -1,8 +1,10 @@
title: DN_0005_7045_windows_service_insatalled
description: >
A service was installed in the system
loggingpolicy: None
references: None
loggingpolicy:
- None
references:
- None
category: OS Logs
platform: Windows
type: Windows Log

6
dataneeded/DN_0026_5136_windows_directory_service_object_was_modified.yml
View File

@ -1,8 +1,10 @@
title: DN_0026_5136_windows_directory_service_object_was_modified
description: >
A directory service object was modified
loggingpolicy: LP_0025_windows_audit_directory_service_changes
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md
loggingpolicy:
- LP_0025_windows_audit_directory_service_changes
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md
category: OS Logs
platform: Windows
type: Windows Log

6
dataneeded/DN_0027_4738_user_account_was_changed.yml
View File

@ -1,8 +1,10 @@
title: DN_0027_4738_user_account_was_changed
description: >
User object is changed
loggingpolicy: LP_0026_windows_audit_user_account_management
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md
loggingpolicy:
- LP_0026_windows_audit_user_account_management
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md
category: OS Logs
platform: Windows
type: Windows Log

6
dataneeded/DN_0028_4794_directory_services_restore_mode_admin_password_set.yml
View File

@ -1,8 +1,10 @@
title: DN_0028_directory_services_restore_mode_admin_password_set_4794
description: >
Directory Services Restore Mode (DSRM) administrator password is changed
loggingpolicy: LP_0026_windows_audit_user_account_management
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md
loggingpolicy:
- LP_0026_windows_audit_user_account_management
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md
category: OS Logs
platform: Windows
type: Windows Log

3
dataneeded/DN_0029_4661_handle_to_an_object_was_requested.yml
View File

@ -5,7 +5,8 @@ description: >
loggingpolicy:
- LP_0027_windows_audit_directory_service_access
- LP_0028_windows_audit_sam
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md
category: OS Logs
platform: Windows
type: Windows Log

6
dataneeded/DN_0030_4662_operation_was_performed_on_an_object.yml
View File

@ -1,8 +1,10 @@
title: DN_0030_4662_operation_was_performed_on_an_object
description: >
An operation was performed on an Active Directory object
loggingpolicy: LP_0027_windows_audit_directory_service_access
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md
loggingpolicy:
- LP_0027_windows_audit_directory_service_access
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md
category: OS Logs
platform: Windows
type: Windows Log

6
dataneeded/DN_0031_7036_service_started_stopped.yml
View File

@ -1,8 +1,10 @@
title: DN_0031_7036_service_started_stopped
description: >
Service entered the running/stopped state
loggingpolicy: None
references: http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm
loggingpolicy:
- None
references:
- http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm
category: OS Logs
platform: Windows
type: Windows Log

6
dataneeded/DN_0032_5145_network_share_object_was_accessed_detailed.yml
View File

@ -2,8 +2,10 @@ title: DN_0032_5145_network_share_object_was_accessed_detailed
description: >
Network share object (file or folder) was accessed. Detailed log with
AccessReason and RelativeTargetName
loggingpolicy: LP_0029_windows_audit_detailed_file_share
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md
loggingpolicy:
- LP_0029_windows_audit_detailed_file_share
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md
category: OS Logs
platform: Windows
type: Windows Log

6
dataneeded/DN_0033_5140_network_share_object_was_accessed.yml
View File

@ -1,8 +1,10 @@
title: DN_0033_5140_network_share_object_was_accessed
description: >
Network share object (file or folder) was accessed
loggingpolicy: LP_0030_windows_audit_file_share
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md
loggingpolicy:
- LP_0030_windows_audit_file_share
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md
category: OS Logs
platform: Windows
type: Windows Log

3
dataneeded/dataneeded.yml.template
View File

@ -1,7 +1,8 @@
title: DN_0000_some_name_here
description: >
Some text description here. It will be merged into one line.
loggingpolicy: LP_0000_some_logging_policy_name_here
loggingpolicy:
- LP_0000_some_logging_policy_name_here
references:
- http://something.com
category: OS Logs # HTTP Logs | DNS Logs | IDS/IPS/NGFW Alerts | Antivirus Alerts | Network Flows | etc

2
enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.yml
View File

@ -12,7 +12,7 @@ data_to_enrich:
- DN_0013_9_windows_sysmon_RawAccessRead
- DN_0015_11_windows_sysmon_FileCreate
- DN_0016_12_windows_sysmon_RegistryEvent
- DN_0016_13_windows_sysmon_RegistryEvent
- DN_0017_13_windows_sysmon_RegistryEvent
- DN_0018_14_windows_sysmon_RegistryEvent
- DN_0019_15_windows_sysmon_FileCreateStreamHash
- DN_0020_17_windows_sysmon_PipeEvent

2
scripts/init_confluence.py
View File

@ -33,7 +33,7 @@ def main():
#print(push_to_confluence(data, url, auth))
push_to_confluence(data, url, auth)
spaces = ["Detection Rules", "Logging Policies", "Data Needed", "Triggering" ,"Response Actions", "Response Playbooks"]
spaces = ["Detection Rules", "Logging Policies", "Data Needed", "Triggering" ,"Response Actions", "Response Playbooks", "Enrichments"]
for space in spaces:
data = {

1
scripts/init_markdown.sh
View File

@ -8,6 +8,7 @@ DIRECTORIES=(
"../Atomic_Threat_Coverage/Triggering"
"../Atomic_Threat_Coverage/Response_Actions"
"../Atomic_Threat_Coverage/Response_Playbooks"
"../Atomic_Threat_Coverage/Enrichments"
)
for DIRECTORY in ${DIRECTORIES[@]}; do

15
scripts/populate_confluence.py
View File

@ -25,7 +25,8 @@ HELP_MESSAGE = """Usage: python3 populate_confluence.py [OPTIONS]\n\n\n
loggingpolicies_path=../loggingpolicies/
triggering_path=../triggering/atomic-red-team/atomics/
responseactions_path=../response_actions/
responseplaybooks_path=../response_playbooks/"""
responseplaybooks_path=../response_playbooks/
enrichments_path=../enrichments/"""
def main(**kwargs):
@ -35,6 +36,7 @@ def main(**kwargs):
dr_list = glob.glob(kwargs['dr_path']+'*.yml')
ra_list = glob.glob(kwargs['ra_path']+'*.yml')
rp_list = glob.glob(kwargs['rp_path']+'*.yml')
en_list = glob.glob(kwargs['en_path']+'*.yml')
mail = input("Email for access to confluence: ")
url = confluence_rest_api_url
@ -83,8 +85,16 @@ def main(**kwargs):
print(rp+" failed")
pass
for en in en_list:
try:
yaml2confluence_jinja.yaml2confluence_jinja(en, 'EN', url, mail, password)
except:
print(en+" failed")
pass
if __name__ == '__main__':
opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=", "triggering_path=", "responseactions_path=", "responseplaybooks_path=", "help"])
opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=",
"triggering_path=", "responseactions_path=", "responseplaybooks_path=", "enrichments_path", "help"])
# complex check in case '--help' would be in some path
if len(sys.argv) > 1 and '--help' in sys.argv[1] and len(sys.argv[1]) < 7:
print(HELP_MESSAGE)
@ -97,5 +107,6 @@ if __name__ == '__main__':
'tg_path': opts_dict.get('--triggering_path', '../triggering/atomic-red-team/atomics/'),
'ra_path': opts_dict.get('--responseactions_path', '../response_actions/'),
'rp_path': opts_dict.get('--responseplaybooks_path', '../response_playbooks/'),
'en_path': opts_dict.get('--enrichments_path', '../enrichments/'),
}
main(**kwargs)

16
scripts/populate_markdown.py
View File

@ -14,7 +14,8 @@ HELP_MESSAGE = """Usage: python3 populate_markdown.py [OPTIONS]\n\n\n
loggingpolicies_path=../loggingpolicies/
triggering_path=../triggering/atomic-red-team/atomics/
responseactions_path=../response_actions/
responseplaybooks_path=../response_playbooks/"""
responseplaybooks_path=../response_playbooks/
enrichments_path=../enrichments/"""
def main(**kwargs):
@ -24,6 +25,8 @@ def main(**kwargs):
dr_list = glob.glob(kwargs['dr_path']+'*.yml')
ra_list = glob.glob(kwargs['ra_path']+'*.yml')
rp_list = glob.glob(kwargs['rp_path']+'*.yml')
en_list = glob.glob(kwargs['en_path']+'*.yml')
for lp in lp_list:
try:
@ -63,8 +66,16 @@ def main(**kwargs):
print(rp+" failed")
pass
for en in en_list:
try:
yaml2markdown_jinja.yaml2markdown_jinja(en, 'EN')
except:
print(en+" failed")
pass
if __name__ == '__main__':
opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=", "triggering_path=", "responseactions_path=", "responseplaybooks_path=", "help"])
opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=",
"triggering_path=", "responseactions_path=", "responseplaybooks_path=", "enrichments_path", "help"])
# complex check in case '--help' would be in some path
if len(sys.argv) > 1 and '--help' in sys.argv[1] and len(sys.argv[1]) < 7:
print(HELP_MESSAGE)
@ -77,5 +88,6 @@ if __name__ == '__main__':
'tg_path': opts_dict.get('--triggering_path', '../triggering/atomic-red-team/atomics/'),
'ra_path': opts_dict.get('--responseactions_path', '../response_actions/'),
'rp_path': opts_dict.get('--responseplaybooks_path', '../response_playbooks/'),
'en_path': opts_dict.get('--enrichments_path', '../enrichments/'),
}
main(**kwargs)

102
scripts/templates/confluence_enrichments_template.md.j2 Normal file
View File

@ -0,0 +1,102 @@
<p class="auto-cursor-target"><br /></p>
<ac:structured-macro ac:name="details" ac:schema-version="1" ac:macro-id="28b7d879-550c-4376-96ff-fdbdfddf710b">
<fab:placeholder-url>/wiki/plugins/servlet/confluence/placeholder/macro?definition=e2RldGFpbHN9&amp;locale=en_GB&amp;version=2</fab:placeholder-url>
<fab:display-type>BLOCK</fab:display-type>
<ac:rich-text-body>
<p class="auto-cursor-target"><br /></p>
<table class="wrapped confluenceTable">
<colgroup>
<col />
<col />
</colgroup>
<tbody>
<tr>
<th class="confluenceTh">Title</th>
<td class="confluenceTd">{{ title|e}}<br /></td>
</tr>
<tr>
<th class="confluenceTh">Description</th>
<td class="confluenceTd">{{ description|e }}<br /></td>
</tr>
{% if data_needed is defined and data_needed|length %}
<tr>
<th class="confluenceTh">Data Needed</th>
<td class="confluenceTd">
{%- if data_needed |length > 1 -%}<ul>{%endif%}
{% for data_name, data_id in data_needed %}
{%- if data_needed |length > 1 -%}<li>{%endif%}<a href="/wiki/spaces/SOC/pages/{{data_id}}">{{ data_name }}</a>{%- if data_needed |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if data_needed |length > 1 -%}</ul>{%endif%}
<br />
</td>
</tr>
{% endif %}
{% if data_to_enrich is defined and data_to_enrich|length %}
<tr>
<th class="confluenceTh">Data to enrich</th>
<td class="confluenceTd">
{%- if data_to_enrich |length > 1 -%}<ul>{%endif%}
{% for data_name, data_id in data_to_enrich %}
{%- if data_to_enrich |length > 1 -%}<li>{%endif%}<a href="/wiki/spaces/SOC/pages/{{data_id}}">{{ data_name }}</a>{%- if data_to_enrich |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if data_to_enrich |length > 1 -%}</ul>{%endif%}
<br />
</td>
</tr>
{% endif %}
{% if references is defined and references|length %}
<tr>
<th class="confluenceTh">References</th>
<td class="confluenceTd">
{%- if references |length > 1 -%}<ul>{%endif%}
{% for ref in references %}
{%- if references |length > 1 -%}<li>{%endif%}<a href="{{ ref }}">{{ ref }}</a>{%- if references |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if references |length > 1 -%}</ul>{%endif%}
<br />
</td>
</tr>
{% endif %}
<tr>
<th class="confluenceTh">Author</th>
<td class="confluenceTd">{{ author|e }}<br /></td>
</tr>
{% if requirements is defined and requirements|length %}
<tr>
<th class="confluenceTh">Requirements</th>
<td class="confluenceTd">
{%- if requirements |length > 1 -%}<ul>{%endif%}
{% for req_name, req_id in requirements %}
{%- if requirements |length > 1 -%}<li>{%endif%}<a href="/wiki/spaces/SOC/pages/{{req_id}}">{{ req_name }}</a>{%- if requirements |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if requirements |length > 1 -%}</ul>{%endif%}
<br />
</td>
</tr>
{% endif %}
{% if new_fields is defined and new_fields|length %}
<tr>
<th class="confluenceTh">New Fields</th>
<td class="confluenceTd">
{%- if new_fields |length > 1 -%}<ul>{%endif%}
{% for field in new_fields %}
{%- if new_fields |length > 1 -%}<li>{%endif%}{{ field }}{%- if new_fields |length > 1 -%}</li>{%endif%}
{% endfor %}
{%- if new_fields |length > 1 -%}</ul>{%endif%}
<br />
</td>
</tr>
{% endif %}
</tbody>
</table>
<p class="auto-cursor-target"><br /></p>
</ac:rich-text-body>
</ac:structured-macro>
{% if config is defined and config|length %}
<h1>Config</h1>
<pre><br/></pre>
<ac:structured-macro ac:name="markdown"><ac:plain-text-body>
<![CDATA[{{ config }}]]>
</ac:plain-text-body></ac:structured-macro>
{% else %}
{% endif %}

8
scripts/templates/markdown_dataneeded_template.md.j2
View File

@ -3,10 +3,10 @@
| Description | {{ description }} |
| Logging Policy | <ul>{% for policy in loggingpolicy %}<li>[{{ policy }}](../Logging_Policies/{{policy}}.md)</li>{% endfor %}</ul> |
| References | <ul>{% for ref in references %}<li>[{{ ref }}]({{ ref }})</li>{% endfor %}</ul> |
| Platform | {{ platform }} |
| Type | {{ type }} |
| Channel | {{ channel }} |
| Provider | {{ provider }} |
| Platform | {{ platform }} |
| Type | {{ type }} |
| Channel | {{ channel }} |
| Provider | {{ provider }} |
| Fields | <ul>{% for field in fields %}<li>{{ field }}</li>{% endfor %}</ul> |
{% if sample is defined and sample|length %}

14
scripts/templates/markdown_enrichments_template.md.j2 Normal file
View File

@ -0,0 +1,14 @@
| Title | {{ title }} |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | {{ description }} |
| Data Needed | {%- if data_needed is defined and data_needed|length %}<ul>{% for data in data_needed %}<li>[{{ data }}](../Data_Needed/{{data}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Data to enrich | {%- if data_to_enrich is defined and data_to_enrich|length %}<ul>{% for data in data_to_enrich %}<li>[{{ data }}](../Data_Needed/{{data}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
| References | {%- if references is defined and references|length %}<ul>{% for ref in references %}<li>[{{ ref }}]({{ ref }})</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Author | {{ author }} |
| Requirements | {%- if requirements is defined and requirements|length %}<ul>{% for req in requirements %}<li>[{{ req }}](../Enrichments/{{req}}.md)</li>{% endfor %}</ul>>{% else %} None{%endif%} |
| New fields | {%- if new_fields is defined and new_fields|length %}<ul>{% for field in new_fields %}<li>{{ field }}</li>{% endfor %}</ul>{% else %} None{%endif%} |
### Config
{{ config }}

2
scripts/templates/markdown_responseaction_template.md.j2
View File

@ -4,7 +4,7 @@
| Automation | {%- if automation is defined and automation|length %}<ul>{% for auto in automation %}<li>{{ auto }}</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Author | {{ author }} |
| Creation Date | {{ creation_date }} |
| References | {%- if references is defined and references|length %}<ul>{% for ref in references %}<li>[{{ ref }}]({{ ref }})</li>{% endfor %}{% else %} None{%endif%}</ul> |
| References | {%- if references is defined and references|length %}<ul>{% for ref in references %}<li>[{{ ref }}]({{ ref }})</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Description | {{ description }} |
| Linked Response Actions | {%- if linked_ra is defined and linked_ra|length %}<ul>{% for action in linked_ra %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Linked Analytics | {%- if linked_analytics is defined and linked_analytics|length %}<ul>{% for analytic in linked_analytics %}<li>{{ analytic }}</li>{% endfor %}</ul>{% else %} None{%endif%} |

16
scripts/templates/markdown_responseplaybook_template.md.j2
View File

@ -1,19 +1,19 @@
| Title | {{ title }} |
|:---------------|:-----------------------------------------------------------------------------------------------------------------|
| Description | {{ description }} |
| ATT&amp;CK Tactic | {%- if tactics is defined and tactics|length %}<ul>{% for tactic_name, tactic_id in tactics %}<li>[{{tactic_id}}: {{tactic_name}}](https://attack.mitre.org/tactics/{{tactic_id}})</li>{% endfor %}</ul>{% else %} None{%endif%}</ul> |
| ATT&amp;CK Technique | {%- if techniques is defined and techniques|length %}<ul>{% for technique in techniques %}<li>[{{technique}}](https://attack.mitre.org/tactics/{{technique}})</li>{% endfor %}</ul>{% else %} None{%endif%}</ul> |
| Tags | {%- if other_tags is defined and other_tags|length %}<ul>{% for tag in other_tags %}<li>{{ tag }}</li>{% endfor %}</ul>{% else %} None{%endif%}</ul> |
| ATT&amp;CK Tactic | {%- if tactics is defined and tactics|length %}<ul>{% for tactic_name, tactic_id in tactics %}<li>[{{tactic_id}}: {{tactic_name}}](https://attack.mitre.org/tactics/{{tactic_id}})</li>{% endfor %}</ul>{% else %} None{%endif%} |
| ATT&amp;CK Technique | {%- if techniques is defined and techniques|length %}<ul>{% for technique in techniques %}<li>[{{technique}}](https://attack.mitre.org/tactics/{{technique}})</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Tags | {%- if other_tags is defined and other_tags|length %}<ul>{% for tag in other_tags %}<li>{{ tag }}</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Severity | {{ severity }} |
| TLP | {{ tlp }} |
| PAP | {{ pap }} |
| Author | {{ author }} |
| Creation Date | {{ creation_date }} |
| Identification | {%- if identification is defined and identification|length %}<ul>{% for action in identification %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}{% else %} None{%endif%}</ul> |
| Containment | {%- if containment is defined and containment|length %}<ul>{% for action in containment %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}{% else %} None{%endif%}</ul> |
| Eradication | {%- if eradication is defined and eradication|length %}<ul>{% for action in eradication %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}{% else %} None{%endif%}</ul> |
| Recovery | {%- if recovery is defined and recovery|length %}<ul>{% for action in recovery %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}{% else %} None{%endif%}</ul> |
| Lessons Learned | {%- if lessons_learned is defined and lessons_learned|length %}<ul>{% for action in lessons_learned %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}{% else %} None{%endif%}</ul> |
| Identification | {%- if identification is defined and identification|length %}<ul>{% for action in identification %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Containment | {%- if containment is defined and containment|length %}<ul>{% for action in containment %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Eradication | {%- if eradication is defined and eradication|length %}<ul>{% for action in eradication %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Recovery | {%- if recovery is defined and recovery|length %}<ul>{% for action in recovery %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
| Lessons Learned | {%- if lessons_learned is defined and lessons_learned|length %}<ul>{% for action in lessons_learned %}<li>[{{ action }}](../Response_Actions/{{action}}.md)</li>{% endfor %}</ul>{% else %} None{%endif%} |
### Workflow

41
scripts/yaml2confluence_jinja.py
View File

@ -136,7 +136,9 @@ def yaml2confluence_jinja(file, type, url, mail, password):
logging_policies_with_id = []
for lp in logging_policies:
logging_policies_id = str(get_page_id(url, auth, space, lp))
if lp != "None":
logging_policies_id = str(get_page_id(url, auth, space, lp))
logging_policies_id = ""
lp = (lp, logging_policies_id)
logging_policies_with_id.append(lp)
@ -238,6 +240,43 @@ def yaml2confluence_jinja(file, type, url, mail, password):
fields.update({'description':fields.get('description').strip()})
content = template.render(fields)
elif type=="enrichment" or type=="EN":
template = env.get_template('confluence_enrichments_template.md.j2')
parent_title="Enrichments"
data_needed = fields.get('data_needed')
if data_needed:
data_needed_with_id = []
for dn in data_needed:
data_needed_id = str(get_page_id(url, auth, space, dn))
dn = (dn, data_needed_id)
data_needed_with_id.append(dn)
fields.update({'data_needed':data_needed_with_id})
data_to_enrich = fields.get('data_to_enrich')
if data_to_enrich:
data_to_enrich_with_id = []
for de in data_to_enrich:
data_to_enrich_id = str(get_page_id(url, auth, space, de))
de = (de, data_to_enrich_id)
data_to_enrich_with_id.append(de)
fields.update({'data_to_enrich':data_to_enrich_with_id})
requirements = fields.get('requirements')
if requirements:
requirements_with_id = []
for req in requirements:
requirements_id = str(get_page_id(url, auth, space, req))
req = (req, requirements_id)
requirements_with_id.append(req)
fields.update({'requirements':requirements_with_id})
fields.update({'description':fields.get('description').strip()})
content = template.render(fields)
elif type=="triggering" or type=="TG":
template = env.get_template('confluence_trigger_template.html.j2')
parent_title="Triggering"

7
scripts/yaml2markdown_jinja.py
View File

@ -163,6 +163,13 @@ def yaml2markdown_jinja(file, type):
fields.update({'description':fields.get('description').strip()})
content = template.render(fields)
elif type=="enrichment" or type=="EN":
template = env.get_template('markdown_enrichments_template.md.j2')
parent_title="Enrichments"
fields.update({'description':fields.get('description').strip()})
content = template.render(fields)
elif type=="triggering" or type=="TG":
pass