diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md b/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md index c7eb387..d08b4cf 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md @@ -1,12 +1,12 @@ | Title | DN_0001_4688_windows_process_creation | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | Windows process creation log, not including command line. | +| Description | Windows process creation log, not including command line | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Security | -| Provider | Microsoft-Windows-Security-Auditing | +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | | Fields | | @@ -16,37 +16,37 @@ ``` - -- - - 4688 - 2 - 0 - 13312 - 0 - 0x8020000000000000 - - 2814 - - - Security - WIN-GG82ULGC9GO.contoso.local - + - + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + 2814 + + + Security + WIN-GG82ULGC9GO.contoso.local + -- - S-1-5-18 - WIN-GG82ULGC9GO$ - CONTOSO - 0x3e7 - 0x2bc - C:\\Windows\\System32\\rundll32.exe - %%1938 - 0xe74 - S-1-5-21-1377283216-344919071-3415362939-1104 - dadmin - CONTOSO - 0x4a5af0 - C:\\Windows\\explorer.exe - S-1-16-8192 + - + S-1-5-18 + WIN-GG82ULGC9GO$ + CONTOSO + 0x3e7 + 0x2bc + C:\\Windows\\System32\\rundll32.exe + %%1938 + 0xe74 + S-1-5-21-1377283216-344919071-3415362939-1104 + dadmin + CONTOSO + 0x4a5af0 + C:\\Windows\\explorer.exe + S-1-16-8192 diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md b/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md index 4593afe..b3bd827 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md @@ -1,13 +1,13 @@ | Title | DN_0002_4688_windows_process_creation_with_commandline | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | Windows process creation log, including command line. | +| Description | Windows process creation log, including command line | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Security | -| Provider | Microsoft-Windows-Security-Auditing | -| Fields | | +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields | | ## Log Samples @@ -17,39 +17,39 @@ ``` - - - - 4688 - 2 - 0 - 13312 - 0 - 0x8020000000000000 - - 3542561 - - - Security - atc-win-10.atc.local - - + + 4688 + 2 + 0 + 13312 + 0 + 0x8020000000000000 + + 3542561 + + + Security + atc-win-10.atc.local + + - - S-1-5-21-540864798-2899685673-3651185163-500 - user1 - atc-win-10 - 0xcdd96 - 0x12d0 - C:\Users\user1\Desktop\PSTools\PsExec64.exe - %%1936 - 0x21d4 - PsExec64.exe -i -s -d cmd - S-1-0-0 - - - - - 0x0 - C:\Windows\System32\cmd.exe - S-1-16-12288 - - + S-1-5-21-540864798-2899685673-3651185163-500 + user1 + atc-win-10 + 0xcdd96 + 0x12d0 + C:\Users\user1\Desktop\PSTools\PsExec64.exe + %%1936 + 0x21d4 + PsExec64.exe -i -s -d cmd + S-1-0-0 + - + - + 0x0 + C:\Windows\System32\cmd.exe + S-1-16-12288 + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md b/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md index 33017ae..178ca03 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md @@ -1,12 +1,12 @@ | Title | DN_0003_1_windows_sysmon_process_creation | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | Windows process creation log, including command line. | +| Description | Windows process creation log, including command line | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,7 +16,7 @@ ``` - -- + - 1 5 @@ -32,7 +32,7 @@ test.lab.local -- + - 2017-04-28 22:08:22.025 {A23EAE89-BD56-5903-0000-0010E9D95E00} 6228 diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md b/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md index 41897f1..346701b 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md @@ -1,12 +1,12 @@ | Title | DN_0004_4624_windows_account_logon | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | An account was successfully logged on. | +| Description | An account was successfully logged on | | Logging Policy |
  • [LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)
| | References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)
| -| Platform | Windows | -| Type | Windows Log | -| Channel | Security | -| Provider | Microsoft-Windows-Security-Auditing | +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | | Fields |
  • EventID
  • AccountName
  • Hostname
  • Computer
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • TargetUserSid
  • TargetUserName
  • TargetDomainName
  • TargetLogonId
  • LogonType
  • LogonProcessName
  • AuthenticationPackageName
  • WorkstationName
  • LogonGuid
  • TransmittedServices
  • LmPackageName
  • KeyLength
  • ProcessId
  • ThreadID
  • ProcessName
  • IpAddress
  • IpPort
  • ImpersonationLevel
  • RestrictedAdminMode
  • TargetOutboundUserName
  • TargetOutboundDomainName
  • VirtualAccount
  • TargetLinkedLogonId
  • ElevatedToken
| @@ -31,7 +31,7 @@ Security WIN-GG82ULGC9GO - + - S-1-5-18 WIN-GG82ULGC9GO$ @@ -60,8 +60,8 @@ %%1843 0x0 %%1842 - - + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md b/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md index 68c7b4c..88b2e69 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0005_7045_windows_service_insatalled.md @@ -1,12 +1,12 @@ | Title | DN_0005_7045_windows_service_insatalled | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | A service was installed in the system. | -| Logging Policy | | -| References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | System | -| Provider | Service Control Manager | +| Description | A service was installed in the system | +| Logging Policy | | +| References | | +| Platform | Windows | +| Type | Windows Log | +| Channel | System | +| Provider | Service Control Manager | | Fields | | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md b/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md index de1e197..1eeda60 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md @@ -3,10 +3,10 @@ | Description | Explicit modification of file creation timestamp by a process | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -17,32 +17,31 @@ ``` - - - - 2 - 4 - 4 - 2 - 0 - 0x8000000000000000 - - 6994 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 2 + 4 + 4 + 2 + 0 + 0x8000000000000000 + + 5256170 + + + Microsoft-Windows-Sysmon/Operational + rfsH.lab.local + + - - - 2018-12-10 15:08:56.954 - {9683FBB1-8164-5C0E-0000-00104B532800} - 2788 - C:\Users\user1\AppData\Local\Temp\chocolatey\wireshark\2.6.5\Wireshark-win64-2.6.5.exe - C:\Program Files\Wireshark\user-guide.chm - 2018-11-28 18:37:08.000 - 2018-12-10 15:08:56.486 - - + 2017-07-30 23:26:47.321 + {A23EAE89-EF48-5978-0000-00104832B112} + 25968 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp + 2016-11-25 18:21:47.692 + 2017-07-30 23:26:47.317 + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md b/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md index af543a0..2fa70ad 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md @@ -3,10 +3,10 @@ | Description | TCP/UDP connections made by a process | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -17,42 +17,41 @@ ``` - - - - 3 - 5 - 4 - 3 - 0 - 0x8000000000000000 - - 16000 - - - Microsoft-Windows-Sysmon/Operational - ATC-WIN-7.atc.local - - + + 3 + 5 + 4 + 3 + 0 + 0x8000000000000000 + + 10953 + + + Microsoft-Windows-Sysmon/Operational + rfsH.lab.local + + - - - 2019-02-05 15:16:17.411 - {A96EFBF1-A8C9-5C59-0000-0010D274D300} - 3900 - C:\Users\user1\Desktop\SysinternalsSuite\PsExec.exe - ATC-WIN-7\user1 - tcp - true - false - 10.0.0.111 - ATC-WIN-7.atc.local - 49603 - - false - 10.0.0.103 - ATC-WIN-10 - 135 - epmap - - + 2017-04-28 22:12:22.557 + {A23EAE89-BD28-5903-0000-00102F345D00} + 13220 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + LAB\rsmith + tcp + true + false + 192.168.1.250 + rfsH.lab.local + 3328 + + false + 104.130.229.150 + + 443 + https + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md index 15b4059..4b047f8 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0008_4_windows_sysmon_sysmon_service_state_changed.md @@ -1,12 +1,12 @@ -| Title | DN_0007_windows_sysmon_sysmon_service_state_changed_4 | +| Title | DN_0008_4_windows_sysmon_sysmon_service_state_changed | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Sysmon service changed status | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -17,28 +17,28 @@ ``` - - - - 4 - 3 - 4 - 4 - 0 - 0x8000000000000000 - - 45818 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 4 + 3 + 4 + 4 + 0 + 0x8000000000000000 + + 16761 + + + Microsoft-Windows-Sysmon/Operational + rfsH.lab.local + + - - 2019-02-05 13:11:20.281 - Started - 8.00 - 4.10 - - + 2017-04-28 22:52:20.883 + Stopped + 6.01 + 3.30 + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md b/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md index c084428..0d6f906 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md @@ -3,10 +3,10 @@ | Description | Process has been terminated | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -17,29 +17,28 @@ ``` - - - - 5 - 3 - 4 - 5 - 0 - 0x8000000000000000 - - 57994 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 5 + 3 + 4 + 5 + 0 + 0x8000000000000000 + + 11235 + + + Microsoft-Windows-Sysmon/Operational + rfsH.lab.local + + - - - 2019-02-05 15:16:38.821 - {9683FBB1-A8D6-5C59-0000-001009797000} - 2440 - C:\Windows\PSEXESVC.exe - - + 2017-04-28 22:13:20.895 + {A23EAE89-BD28-5903-0000-001009665D00} + 12684 + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md b/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md index d0daba8..10b5647 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0010_6_windows_sysmon_driver_loaded.md @@ -1,12 +1,12 @@ | Title | DN_0010_6_windows_sysmon_driver_loaded | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information | +| Description | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -17,31 +17,31 @@ ``` - - - - 6 - 3 - 4 - 6 - 0 - 0x8000000000000000 - - 4565 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 6 + 3 + 4 + 6 + 0 + 0x8000000000000000 + + 4565 + + + Microsoft-Windows-Sysmon/Operational + atc-win-10.atc.local + + - - - 2018-12-09 21:41:41.091 - C:\Windows\System32\drivers\PROCEXP152.SYS - MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590 - true - Sysinternals - Valid - - + + 2018-12-09 21:41:41.091 + C:\Windows\System32\drivers\PROCEXP152.SYS + MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590 + true + Sysinternals + Valid + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md b/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md index 474c504..db0da1a 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md @@ -1,12 +1,12 @@ | Title | DN_0011_7_windows_sysmon_image_loaded | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | The image loaded event logs when a module is loaded in a specific process. | +| Description | The image loaded event logs when a module is loaded in a specific process | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,7 +16,7 @@ ``` - -- + - 7 3 @@ -32,7 +32,7 @@ rfsH.lab.local -- + - 2017-04-28 22:45:16.662 {A23EAE89-C5FA-5903-0000-0010BF439000} 12536 @@ -43,7 +43,7 @@ Microsoft Windows Valid - + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md b/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md index 575cd90..093910d 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0012_8_windows_sysmon_CreateRemoteThread.md @@ -1,12 +1,12 @@ | Title | DN_0012_8_windows_sysmon_CreateRemoteThread | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | The CreateRemoteThread event detects when a process creates a thread in another process. | +| Description | The CreateRemoteThread event detects when a process creates a thread in another process | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,34 +16,34 @@ ``` - -- - - 8 - 2 - 4 - 8 - 0 - 0x8000000000000000 - - 739823 - - - Microsoft-Windows-Sysmon/Operational - rfsH.lab.local - + - + + 8 + 2 + 4 + 8 + 0 + 0x8000000000000000 + + 739823 + + + Microsoft-Windows-Sysmon/Operational + rfsH.lab.local + - - 2017-05-13 22:53:43.214 - {A23EAE89-8E6D-5917-0000-0010DFAF5004} - 8804 - C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe - {A23EAE89-8E5A-5917-0000-00100E3E4D04} - 2024 - C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe - 20532 - 0x00007FFB09321970 - C:\Windows\SYSTEM32\ntdll.dll - DbgUiRemoteBreakin + 2017-05-13 22:53:43.214 + {A23EAE89-8E6D-5917-0000-0010DFAF5004} + 8804 + C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe + {A23EAE89-8E5A-5917-0000-00100E3E4D04} + 2024 + C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe + 20532 + 0x00007FFB09321970 + C:\Windows\SYSTEM32\ntdll.dll + DbgUiRemoteBreakin diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md b/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md index 11d9137..e25a4ec 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md @@ -1,12 +1,12 @@ | Title | DN_0013_9_windows_sysmon_RawAccessRead | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. | +| Description | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,7 +16,7 @@ ``` - -- + - 9 2 @@ -32,14 +32,14 @@ rfsH.lab.local -- + - 2018-03-22 20:32:22.332 {A23EAE89-C65F-5AB2-0000-0010EB030000} 4 System \Device\HarddiskVolume2 - + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md b/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md index 225344c..df71db1 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md @@ -1,12 +1,12 @@ | Title | DN_0014_10_windows_sysmon_ProcessAccess | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. | +| Description | The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,7 +16,7 @@ ``` - -- + - 10 3 @@ -32,7 +32,7 @@ atc-win-10.atc.local -- + - 2019-01-30 14:28:35.212 {9683FBB1-B470-5C51-0000-0010521EBB00} @@ -45,7 +45,7 @@ 0x1010 C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471 - + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md b/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md index 650c40a..ce3b797 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md @@ -1,12 +1,12 @@ | Title | DN_0015_11_windows_sysmon_FileCreate | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection. | +| Description | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,7 +16,7 @@ ``` - -- + - 11 2 @@ -32,7 +32,7 @@ atc-win-10.atc.local -- + - 2019-01-30 15:08:51.287 {9683FBB1-9A3F-5C51-0000-0010EB030000} @@ -41,7 +41,7 @@ C:\Windows\PSEXESVC.exe 2019-01-30 15:08:51.287 - + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md index 85440ad..7fb3968 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md @@ -1,12 +1,12 @@ | Title | DN_0016_12_windows_sysmon_RegistryEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications. | +| Description | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,7 +16,7 @@ ``` - -- + - 12 2 @@ -32,7 +32,7 @@ atc-win-10.atc.local -- + - DeleteKey 2019-01-30 17:05:28.023 @@ -41,7 +41,7 @@ C:\Windows\regedit.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1 - + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md index 06c8e70..b76e12b 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md @@ -1,12 +1,12 @@ | Title | DN_0016_13_windows_sysmon_RegistryEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD. | +| Description | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,7 +16,7 @@ ``` - -- + - 13 2 @@ -32,7 +32,7 @@ atc-win-10.atc.local -- + - SetValue 2019-01-30 17:06:11.673 @@ -42,7 +42,7 @@ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1 C:\Program Files\Sublime Text 3\sublime_text.exe - + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md index 170b833..73d032e 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md @@ -1,12 +1,12 @@ | Title | DN_0018_14_windows_sysmon_RegistryEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed. | +| Description | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -16,33 +16,33 @@ ``` - -- - - 14 - 2 - 4 - 14 - 0 - 0x8000000000000000 - - 43065 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - + - + + 14 + 2 + 4 + 14 + 0 + 0x8000000000000000 + + 43065 + + + Microsoft-Windows-Sysmon/Operational + atc-win-10.atc.local + -- - - RenameKey - 2019-01-30 18:16:38.886 - {9683FBB1-D812-5C51-0000-0010F3871201} - 10396 - C:\Windows\regedit.exe - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2 + - + + RenameKey + 2019-01-30 18:16:38.886 + {9683FBB1-D812-5C51-0000-0010F3871201} + 10396 + C:\Windows\regedit.exe + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1 + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2 - + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md b/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md index 022eb0c..a6c829a 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md @@ -1,12 +1,12 @@ | Title | DN_0019_15_windows_sysmon_FileCreateStreamHash | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. | +| Description | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -17,32 +17,32 @@ ``` - - - - 15 - 2 - 4 - 15 - 0 - 0x8000000000000000 - - 34115 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 15 + 2 + 4 + 15 + 0 + 0x8000000000000000 + + 34115 + + + Microsoft-Windows-Sysmon/Operational + atc-win-10.atc.local + + - - - 2019-01-21 12:43:53.368 - {9683FBB1-A860-5C45-0000-0010274F1400} - 6604 - C:\windows\Explorer.EXE - C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe - 2013-11-11 22:41:40.000 - MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2 - - + + 2019-01-21 12:43:53.368 + {9683FBB1-A860-5C45-0000-0010274F1400} + 6604 + C:\windows\Explorer.EXE + C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe + 2013-11-11 22:41:40.000 + MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2 + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md index 7ff77ef..ef3cacf 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md @@ -1,12 +1,12 @@ | Title | DN_0020_17_windows_sysmon_PipeEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication. | +| Description | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication | | Logging Policy | | | References | | -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields | | @@ -17,30 +17,30 @@ ``` - - - - 17 - 1 - 4 - 17 - 0 - 0x8000000000000000 - - 46617 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 17 + 1 + 4 + 17 + 0 + 0x8000000000000000 + + 46617 + + + Microsoft-Windows-Sysmon/Operational + atc-win-10.atc.local + + - - - 2019-02-05 13:37:34.396 - {9683FBB1-919E-5C59-0000-0010A0E53B00} - 7128 - \PSEXESVC-ATC-WIN-7-2728-stdin - C:\windows\PSEXESVC.exe - - + + 2019-02-05 13:37:34.396 + {9683FBB1-919E-5C59-0000-0010A0E53B00} + 7128 + \PSEXESVC-ATC-WIN-7-2728-stdin + C:\windows\PSEXESVC.exe + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md index f5074f8..43efded 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md @@ -1,12 +1,12 @@ | Title | DN_0021_18_windows_sysmon_PipeEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | This event logs when a named pipe connection is made between a client and a server. | +| Description | This event logs when a named pipe connection is made between a client and a server | | Logging Policy |
  • [LP_0009_windows_sysmon_PipeEvent](../Logging_Policies/LP_0009_windows_sysmon_PipeEvent.md)
| | References |
  • [https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md)
  • [https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018)
| -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields |
  • EventID
  • Computer
  • UtcTime
  • ProcessGuid
  • ProcessId
  • PipeName
  • Image
| diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md index 95b37ec..30cb83f 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md @@ -1,12 +1,12 @@ | Title | DN_0022_19_windows_sysmon_WmiEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression. | +| Description | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression | | Logging Policy |
  • [LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)
| | References |
  • [https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md)
  • [https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019)
| -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields |
  • EventID
  • Computer
  • EventType
  • UtcTime
  • Operation
  • User
  • EventNamespace
  • Name
  • Query
| @@ -17,32 +17,32 @@ ``` - - - - 19 - 3 - 4 - 19 - 0 - 0x8000000000000000 - - 46712 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 19 + 3 + 4 + 19 + 0 + 0x8000000000000000 + + 46712 + + + Microsoft-Windows-Sysmon/Operational + atc-win-10.atc.local + + - - - WmiFilterEvent - 2019-02-05 14:44:42.432 - Created - atc-win-10\user1 - "root\\CimV2" - "AtomicRedTeam-WMIPersistence-Example" - "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" - - + + WmiFilterEvent + 2019-02-05 14:44:42.432 + Created + atc-win-10\user1 + "root\\CimV2" + "AtomicRedTeam-WMIPersistence-Example" + "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md index c15db8e..bbac287 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md @@ -1,12 +1,12 @@ | Title | DN_0023_20_windows_sysmon_WmiEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | This event logs the registration of WMI consumers, recording the consumer name, log, and destination. | +| Description | This event logs the registration of WMI consumers, recording the consumer name, log, and destination | | Logging Policy |
  • [LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)
| | References |
  • [https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md)
  • [https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020)
| -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields |
  • EventID
  • Computer
  • EventType
  • UtcTime
  • Operation
  • User
  • Name
  • Type
  • Destination
| @@ -17,32 +17,32 @@ ``` - - - - 20 - 3 - 4 - 20 - 0 - 0x8000000000000000 - - 46713 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 20 + 3 + 4 + 20 + 0 + 0x8000000000000000 + + 46713 + + + Microsoft-Windows-Sysmon/Operational + atc-win-10.atc.local + + - - - WmiConsumerEvent - 2019-02-05 14:44:42.510 - Created - atc-win-10\user1 - "AtomicRedTeam-WMIPersistence-Example" - Command Line - "C:\\windows\\System32\\notepad.exe" - - + + WmiConsumerEvent + 2019-02-05 14:44:42.510 + Created + atc-win-10\user1 + "AtomicRedTeam-WMIPersistence-Example" + Command Line + "C:\\windows\\System32\\notepad.exe" + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md index 2ec34f1..2f5e282 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md @@ -1,12 +1,12 @@ | Title | DN_0024_21_windows_sysmon_WmiEvent | |:---------------|:-----------------------------------------------------------------------------------------------------------------| -| Description | When a consumer binds to a filter, this event logs the consumer name and filter path. | +| Description | When a consumer binds to a filter, this event logs the consumer name and filter path | | Logging Policy |
  • [LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)
| | References |
  • [https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md)
  • [https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021)
| -| Platform | Windows | -| Type | Windows Log | -| Channel | Microsoft-Windows-Sysmon/Operational | -| Provider | Microsoft-Windows-Sysmon | +| Platform | Windows | +| Type | Windows Log | +| Channel | Microsoft-Windows-Sysmon/Operational | +| Provider | Microsoft-Windows-Sysmon | | Fields |
  • EventID
  • Computer
  • EventType
  • UtcTime
  • Operation
  • User
  • Consumer
  • Filter
| @@ -17,31 +17,31 @@ ``` - - - - 21 - 3 - 4 - 21 - 0 - 0x8000000000000000 - - 46714 - - - Microsoft-Windows-Sysmon/Operational - atc-win-10.atc.local - - + + 21 + 3 + 4 + 21 + 0 + 0x8000000000000000 + + 46714 + + + Microsoft-Windows-Sysmon/Operational + atc-win-10.atc.local + + - - - WmiBindingEvent - 2019-02-05 14:44:47.087 - Created - atc-win-10\user1 - "\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\"" - "\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\"" - - + + WmiBindingEvent + 2019-02-05 14:44:47.087 + Created + atc-win-10\user1 + "\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\"" + "\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\"" + + ``` diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md b/Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md new file mode 100644 index 0000000..64497aa --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md @@ -0,0 +1,58 @@ +| Title | DN_0026_5136_windows_directory_service_object_was_modified | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | A directory service object was modified | +| Logging Policy |
  • [LP_0025_windows_audit_directory_service_changes](../Logging_Policies/LP_0025_windows_audit_directory_service_changes.md)
| +| References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • OpCorrelationID
  • AppCorrelationID
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • DSName
  • DSType
  • ObjectDN
  • ObjectGUID
  • ObjectClass
  • AttributeLDAPDisplayName
  • AttributeSyntaxOID
  • AttributeValue
  • OperationType
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 5136 + 0 + 0 + 14081 + 0 + 0x8020000000000000 + + 410204 + + + Security + DC01.contoso.local + + + - + {02647639-8626-43CE-AFE6-7AA1AD657739} + - + S-1-5-21-3457937927-2839227994-823803824-1104 + dadmin + CONTOSO + 0x32004 + contoso.local + %%14676 + CN=Sergey,CN=Builtin,DC=contoso,DC=local + {4FE80A66-5F93-4F73-B215-68678058E613} + user + userAccountControl + 2.5.5.9 + 512 + %%14675 + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md new file mode 100644 index 0000000..a89a334 --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md @@ -0,0 +1,69 @@ +| Title | DN_0027_4738_user_account_was_changed | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | User object is changed | +| Logging Policy |
  • [LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)
| +| References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • TargetUserName
  • TargetDomainName
  • TargetSid
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • PrivilegeList
  • SamAccountName
  • DisplayName
  • UserPrincipalName
  • HomeDirectory
  • HomePath
  • ScriptPath
  • ProfilePath
  • UserWorkstations
  • PasswordLastSet
  • AccountExpires
  • PrimaryGroupId
  • AllowedToDelegateTo
  • OldUacValue
  • NewUacValue
  • UserAccountControl
  • UserParameters
  • SidHistory
  • LogonHours
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 4738 + 0 + 0 + 13824 + 0 + 0x8020000000000000 + + 175413 + + + Security + DC01.contoso.local + + + - + ksmith + CONTOSO + S-1-5-21-3457937927-2839227994-823803824-6609 + S-1-5-21-3457937927-2839227994-823803824-1104 + dadmin + CONTOSO + 0x30dc2 + - + - + - + - + - + - + - + - + - + - + - + - + - + 0x15 + 0x211 + %%2050 %%2089 + - + - + - + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md b/Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md new file mode 100644 index 0000000..283b8e5 --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md @@ -0,0 +1,49 @@ +| Title | DN_0028_directory_services_restore_mode_admin_password_set_4794 | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | Directory Services Restore Mode (DSRM) administrator password is changed | +| Logging Policy |
  • [LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)
| +| References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • Workstation
  • Status
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 4794 + 0 + 0 + 13824 + 0 + 0x8020000000000000 + + 172348 + + + Security + DC01.contoso.local + + + - + S-1-5-21-3457937927-2839227994-823803824-1104 + dadmin + CONTOSO + 0x36f67 + DC01 + 0x0 + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md new file mode 100644 index 0000000..abba9a6 --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md @@ -0,0 +1,59 @@ +| Title | DN_0029_4661_handle_to_an_object_was_requested | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | A handle was requested for either an Active Directory object or a Security Account Manager (SAM) object | +| Logging Policy |
  • [LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)
  • [LP_0028_windows_audit_sam](../Logging_Policies/LP_0028_windows_audit_sam.md)
| +| References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • ObjectServer
  • ObjectType
  • ObjectName
  • HandleId
  • TransactionId
  • AccessList
  • AccessMask
  • PrivilegeList
  • Properties
  • RestrictedSidCount
  • ProcessId
  • ProcessName
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 4661 + 0 + 0 + 14080 + 0 + 0x8020000000000000 + + 1048009 + + + Security + DC01.contoso.local + + + - + S-1-5-21-3457937927-2839227994-823803824-1104 + dadmin + CONTOSO + 0x4280e + Security Account Manager + SAM\_DOMAIN + DC=contoso,DC=local + 0xdd64d36870 + {00000000-0000-0000-0000-000000000000} + %%5400 + 0x2d + Ā + - + 2949165 + 0x9000a000d002d + {bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501} + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md b/Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md new file mode 100644 index 0000000..adcc8ea --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md @@ -0,0 +1,57 @@ +| Title | DN_0030_4662_operation_was_performed_on_an_object | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | An operation was performed on an Active Directory object | +| Logging Policy |
  • [LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)
| +| References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • ObjectServer
  • ObjectType
  • ObjectName
  • OperationType
  • HandleId
  • AccessList
  • AccessMask
  • Properties
  • AdditionalInfo
  • AdditionalInfo2
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 4662 + 0 + 0 + 14080 + 0 + 0x8020000000000000 + + 407230 + + + Security + DC01.contoso.local + + + - + S-1-5-21-3457937927-2839227994-823803824-1104 + dadmin + CONTOSO + 0x35867 + DS + %{bf967a86-0de6-11d0-a285-00aa003049e2} + %{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2} + Object Access + 0x0 + %%1537 + 0x10000 + %%1537 {bf967a86-0de6-11d0-a285-00aa003049e2} + - + + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md b/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md new file mode 100644 index 0000000..9c25f0b --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0031_7036_service_started_stopped.md @@ -0,0 +1,46 @@ +| Title | DN_0031_7036_service_started_stopped | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | Service entered the running/stopped state | +| Logging Policy |
  • [None](../Logging_Policies/None.md)
| +| References |
  • [http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm](http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | System | +| Provider | Service Control Manager | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • param1
  • param2
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 7036 + 0 + 4 + 0 + 0 + 0x8080000000000000 + + 41452 + + + System + EC2AMAZ-D6OFVS8 + + + - + Device Install Service + running + 44006500760069006300650049006E007300740061006C006C002F0034000000 + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md new file mode 100644 index 0000000..f704c87 --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md @@ -0,0 +1,56 @@ +| Title | DN_0032_5145_network_share_object_was_accessed_detailed | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName | +| Logging Policy |
  • [LP_0029_windows_audit_detailed_file_share](../Logging_Policies/LP_0029_windows_audit_detailed_file_share.md)
| +| References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • ObjectType
  • IpAddress
  • IpPort
  • ShareName
  • ShareLocalPath
  • RelativeTargetName
  • AccessMask
  • AccessList
  • AccessReason
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 5145 + 0 + 0 + 12811 + 0 + 0x8020000000000000 + + 267092 + + + Security + DC01.contoso.local + + + - + S-1-5-21-3457937927-2839227994-823803824-1104 + dadmin + CONTOSO + 0x38d34 + File + fe80::31ea:6c3c:f40d:1973 + 56926 + \\\\\*\\Documents + \\??\\C:\\Documents + Bginfo.exe + 0x100081 + %%1541 %%4416 %%4423 + %%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD) + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md new file mode 100644 index 0000000..a1a3cda --- /dev/null +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md @@ -0,0 +1,54 @@ +| Title | DN_0033_5140_network_share_object_was_accessed | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | Network share object (file or folder) was accessed | +| Logging Policy |
  • [LP_0030_windows_audit_file_share](../Logging_Policies/LP_0030_windows_audit_file_share.md)
| +| References |
  • [https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md)
| +| Platform | Windows | +| Type | Windows Log | +| Channel | Security | +| Provider | Microsoft-Windows-Security-Auditing | +| Fields |
  • EventID
  • ProcessID
  • ThreadID
  • Computer
  • SubjectUserSid
  • SubjectUserName
  • SubjectDomainName
  • SubjectLogonId
  • ObjectType
  • IpAddress
  • IpPort
  • ShareName
  • ShareLocalPath
  • AccessMask
  • AccessList
| + + +## Log Samples + +### Raw Log + +``` +- + - + + 5140 + 1 + 0 + 12808 + 0 + 0x8020000000000000 + + 268495 + + + Security + DC01.contoso.local + + + - + S-1-5-21-3457937927-2839227994-823803824-1104 + dadmin + CONTOSO + 0x541f35 + File + 10.0.0.100 + 49212 + \\\\\*\\Documents + \\??\\C:\\Documents + 0x1 + %%4416 + + + +``` + + + + diff --git a/Atomic_Threat_Coverage/Enrichments/EN_0001_cache_sysmon_event_id_1_info.md b/Atomic_Threat_Coverage/Enrichments/EN_0001_cache_sysmon_event_id_1_info.md new file mode 100644 index 0000000..091f2b4 --- /dev/null +++ b/Atomic_Threat_Coverage/Enrichments/EN_0001_cache_sysmon_event_id_1_info.md @@ -0,0 +1,36 @@ +| Title | EN_0001_cache_sysmon_event_id_1_info | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | Cache Sysmon Event ID 1 (Process Create) data for further enrichments. | +| Data Needed |
  • [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
| +| Data to enrich | None | +| References |
  • [https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)
| +| Author | Teymur Kheirkhabarov | +| Requirements | None | +| New fields | None | + + +### Config + +We can use Logstash to cache data in Memcached. +Here is the config example: + +``` +filter { + # Building information block for caching: + if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 { + mutate { + add_field => { + "[@metadata][processinfo]" => "IntegrityLevel=%{[event_data][IntegrityLevel]},User=%{[event_data][User]},CommandLine=${[event_data][CommandLine]},ParentImage=%{[event_data][ParentImage]}" + } + } + # Saving previously built information block in cache (key is concatenation of ProcessGuid and computer_name): + memcached { + hosts => ["127.0.0.1:11211"] + set => { + "[@metadata][processinfo]" => "%{computer_name}_{[event_data][ProcessGuid]}" + } + ttl => 86400 # 24 hours + } + } +} +``` diff --git a/Atomic_Threat_Coverage/Enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.md b/Atomic_Threat_Coverage/Enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.md new file mode 100644 index 0000000..f1911c6 --- /dev/null +++ b/Atomic_Threat_Coverage/Enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.md @@ -0,0 +1,46 @@ +| Title | EN_0002_enrich_sysmon_event_id_1_with_parent_info | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | Enrich Sysmon Event ID 1 (Process Create) with Parent Integrity Level, Parent User and Parent of Parent Image fields. | +| Data Needed |
  • [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
| +| Data to enrich |
  • [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
| +| References |
  • [https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)
| +| Author | Teymur Kheirkhabarov | +| Requirements |
  • [EN_0001_cache_sysmon_event_id_1_info](../Enrichments/EN_0001_cache_sysmon_event_id_1_info.md)
> | +| New fields |
  • event_data.ParentIntegrityLevel
  • event_data.ParentUser
  • event_data.ParentOfParentImage
  • ParentIntegrityLevel
  • ParentUser
  • ParentOfParentImage
| + + +### Config + +We can use Logstash to enrich Sysmon Event ID 1 with data cached in Memcached. +Here is the config example: + +``` +filter { + # Get previously cached information about parent process from cache to enrich process creation events (event id 1) + if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] == 1 and [event_data][ParentProcessGuid] { + # Enrich event with additional information about process + memcached { + # get info from cache + hosts => ["127.0.0.1:11211"] + get => { + "%{computer_name}_%{[event_data][ParentProcessGuid]}" => "[@metadata][processinfo]" + } + } + if [@metadata][processinfo] { + kv { + source => "[@metadata][processinfo]" + target => "[@metadata][processinfo]" + field_split => "," + value_split => "=" + } + if [@metadata][processinfo][ParentImage] { + mutate { + add_field => { "[event_data][ParentIntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" } + add_field => { "[event_data][ParentUser]" => "%{[@metadata][processinfo][User]}" } + add_field => { "[event_data][ParentOfParentImage]" => "%{[@metadata][processinfo][ParentImage]}" } + } + } + } + } +} +``` diff --git a/Atomic_Threat_Coverage/Enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.md b/Atomic_Threat_Coverage/Enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.md new file mode 100644 index 0000000..add7d32 --- /dev/null +++ b/Atomic_Threat_Coverage/Enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.md @@ -0,0 +1,60 @@ +| Title | EN_0003_enrich_other_sysmon_events_with_event_id_1_data | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | Enrich other Sysmon Events with data from Events ID 1 (Process Create) — Integrity Level, User, Parent Image and CommandLine fields. | +| Data Needed |
  • [DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)
| +| Data to enrich |
  • [DN_0006_2_windows_sysmon_process_changed_a_file_creation_time](../Data_Needed/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.md)
  • [DN_0007_3_windows_sysmon_network_connection](../Data_Needed/DN_0007_3_windows_sysmon_network_connection.md)
  • [DN_0009_5_windows_sysmon_process_terminated](../Data_Needed/DN_0009_5_windows_sysmon_process_terminated.md)
  • [DN_0011_7_windows_sysmon_image_loaded](../Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md)
  • [DN_0013_9_windows_sysmon_RawAccessRead](../Data_Needed/DN_0013_9_windows_sysmon_RawAccessRead.md)
  • [DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)
  • [DN_0016_12_windows_sysmon_RegistryEvent](../Data_Needed/DN_0016_12_windows_sysmon_RegistryEvent.md)
  • [DN_0017_13_windows_sysmon_RegistryEvent](../Data_Needed/DN_0017_13_windows_sysmon_RegistryEvent.md)
  • [DN_0018_14_windows_sysmon_RegistryEvent](../Data_Needed/DN_0018_14_windows_sysmon_RegistryEvent.md)
  • [DN_0019_15_windows_sysmon_FileCreateStreamHash](../Data_Needed/DN_0019_15_windows_sysmon_FileCreateStreamHash.md)
  • [DN_0020_17_windows_sysmon_PipeEvent](../Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md)
  • [DN_0021_18_windows_sysmon_PipeEvent](../Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md)
| +| References |
  • [https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment](https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment)
| +| Author | Teymur Kheirkhabarov | +| Requirements |
  • [EN_0001_cache_sysmon_event_id_1_info](../Enrichments/EN_0001_cache_sysmon_event_id_1_info.md)
> | +| New fields |
  • event_data.IntegrityLevel
  • event_data.User
  • event_data.CommandLine
  • event_data.ParentImage
  • IntegrityLevel
  • User
  • CommandLine
  • ParentImage
| + + +### Config + +We can use Logstash to enrich other Sysmon Events with data from Sysmon Event ID 1, cached in Memcached. +Here is the config example: + +``` +filter { + # Add additional information from cache, that is available only in Process Creation event (User, IL...) + if [source_name] == "Microsoft-Windows-Sysmon" and [event_id] != 1 and [event_data][ProcessGuid] { + # Enrich event with additional information about process + memcached { + # get info from cache + hosts => ["127.0.0.1:11211"] + get => { + "%{computer_name}_%{[event_data][ProcessGuid]}" => "[@metadata][processinfo]" + } + } + if [@metadata][processinfo] { + kv { + source => "[@metadata][processinfo]" + target => "[@metadata][processinfo]" + field_split => "," + value_split => "=" + } + # Enrich event + if [@metadata][processinfo][IntegrityLevel] { + mutate { + add_field => { "[event_data][IntegrityLevel]" => "%{[@metadata][processinfo][IntegrityLevel]}" } + } + } + if [@metadata][processinfo][User] { + mutate { + add_field => { "[event_data][User]" => "%{[@metadata][processinfo][User]}" } + } + } + if [@metadata][processinfo][CommandLine] { + mutate { + add_field => { "[event_data][CommandLine]" => "%{[@metadata][processinfo][CommandLine]}" } + } + } + if [@metadata][processinfo][ParentImage] { + mutate { + add_field => { "[event_data][ParentImage]" => "%{[@metadata][processinfo][ParentImage]}" } + } + } + } + } +} +``` diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0005_identification_find_all_phising_attack_victims.md b/Atomic_Threat_Coverage/Response_Actions/RA_0005_identification_find_all_phising_attack_victims.md index bf95e4b..71f8c04 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0005_identification_find_all_phising_attack_victims.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0005_identification_find_all_phising_attack_victims.md @@ -4,10 +4,10 @@ | Automation |
  • thehive
| | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Aggregated Response Action for identification of all potential victims of the phishing attack | | Linked Response Actions |
  • [RA_0026_identification_find_emails_opened](../Response_Actions/RA_0026_identification_find_emails_opened.md)
  • [RA_0030_identification_find_all_hosts_communicated_with_domain](../Response_Actions/RA_0030_identification_find_all_hosts_communicated_with_domain.md)
  • [RA_0031_identification_find_all_hosts_communicated_with_ip](../Response_Actions/RA_0031_identification_find_all_hosts_communicated_with_ip.md)
  • [RA_0032_identification_find_all_hosts_communicated_with_url](../Response_Actions/RA_0032_identification_find_all_hosts_communicated_with_url.md)
  • [RA_0033_identification_find_files_created](../Response_Actions/RA_0033_identification_find_files_created.md)
  • [RA_0034_identification_find_all_victims_in_security_alerts](../Response_Actions/RA_0034_identification_find_all_victims_in_security_alerts.md)
| -| Linked Analytics |
  • test
  • test2
| +| Linked Analytics | None | ### Workflow diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0007_containment_block_ip_on_border_firewall.md b/Atomic_Threat_Coverage/Response_Actions/RA_0007_containment_block_ip_on_border_firewall.md index ddc3b29..505d008 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0007_containment_block_ip_on_border_firewall.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0007_containment_block_ip_on_border_firewall.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Block ip address on border firewall. | | Linked Response Actions | None | | Linked Analytics |
  • MS_firewall
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0009_containment_block_url_on_proxy.md b/Atomic_Threat_Coverage/Response_Actions/RA_0009_containment_block_url_on_proxy.md index 147715f..eb09e04 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0009_containment_block_url_on_proxy.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0009_containment_block_url_on_proxy.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Block url on Proxy server. | | Linked Response Actions | None | | Linked Analytics |
  • MS_proxy_server
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0010_eradication_delete_malicious_emails.md b/Atomic_Threat_Coverage/Response_Actions/RA_0010_eradication_delete_malicious_emails.md index d8d56d7..8769628 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0010_eradication_delete_malicious_emails.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0010_eradication_delete_malicious_emails.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Delete malicious emails from Email Server and users' email boxes. | | Linked Response Actions | None | | Linked Analytics |
  • MS_email_server
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0028_containment_block_threat_on_network_level.md b/Atomic_Threat_Coverage/Response_Actions/RA_0028_containment_block_threat_on_network_level.md index 30f2238..09cff93 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0028_containment_block_threat_on_network_level.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0028_containment_block_threat_on_network_level.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Aggregated Response Action for blocking threats on Network Level. | | Linked Response Actions |
  • [RA_0006_containment_block_domain_on_email](../Response_Actions/RA_0006_containment_block_domain_on_email.md)
  • [RA_0009_containment_block_url_on_proxy](../Response_Actions/RA_0009_containment_block_url_on_proxy.md)
  • [RA_0007_containment_block_ip_on_border_firewall](../Response_Actions/RA_0007_containment_block_ip_on_border_firewall.md)
  • [RA_0008_containment_block_domain_on_dns](../Response_Actions/RA_0008_containment_block_domain_on_dns.md)
  • [RA_0009_containment_block_url_on_proxy](../Response_Actions/RA_0009_containment_block_url_on_proxy.md)
| | Linked Analytics | None | diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0035_containment_block_domain_on_ips.md b/Atomic_Threat_Coverage/Response_Actions/RA_0035_containment_block_domain_on_ips.md index c390058..f8f9cf6 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0035_containment_block_domain_on_ips.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0035_containment_block_domain_on_ips.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Block domain on IPS. | | Linked Response Actions | None | | Linked Analytics |
  • MS_ips
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0036_containment_block_domain_on_ngfw.md b/Atomic_Threat_Coverage/Response_Actions/RA_0036_containment_block_domain_on_ngfw.md index a593ada..58245c8 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0036_containment_block_domain_on_ngfw.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0036_containment_block_domain_on_ngfw.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Block domain on NGFW. | | Linked Response Actions | None | | Linked Analytics |
  • MS_ngfw
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0037_containment_block_ip_on_ips.md b/Atomic_Threat_Coverage/Response_Actions/RA_0037_containment_block_ip_on_ips.md index 0529f52..09578fd 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0037_containment_block_ip_on_ips.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0037_containment_block_ip_on_ips.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Block ip on IPS. | | Linked Response Actions | None | | Linked Analytics |
  • MS_ips
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0038_containment_block_ip_on_ngfw.md b/Atomic_Threat_Coverage/Response_Actions/RA_0038_containment_block_ip_on_ngfw.md index 5480b6c..96e6bbc 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0038_containment_block_ip_on_ngfw.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0038_containment_block_ip_on_ngfw.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Block ip on NGFW. | | Linked Response Actions | None | | Linked Analytics |
  • MS_ngfw
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0039_containment_block_url_on_ngfw.md b/Atomic_Threat_Coverage/Response_Actions/RA_0039_containment_block_url_on_ngfw.md index 2cd4931..f85ef7e 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0039_containment_block_url_on_ngfw.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0039_containment_block_url_on_ngfw.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Block URL on NGFW. | | Linked Response Actions | None | | Linked Analytics |
  • MS_ngfw
| diff --git a/Atomic_Threat_Coverage/Response_Actions/RA_0040_identification_put_on_monitoring_compromised_accounts.md b/Atomic_Threat_Coverage/Response_Actions/RA_0040_identification_put_on_monitoring_compromised_accounts.md index c4feb24..7a6ca10 100644 --- a/Atomic_Threat_Coverage/Response_Actions/RA_0040_identification_put_on_monitoring_compromised_accounts.md +++ b/Atomic_Threat_Coverage/Response_Actions/RA_0040_identification_put_on_monitoring_compromised_accounts.md @@ -4,7 +4,7 @@ | Automation | None | | Author | Daniil Yugoslavskiy | | Creation Date | 31.01.2019 | -| References | None | +| References | None | | Description | Put (potentially) compromised accounts on monitoring | | Linked Response Actions | None | | Linked Analytics | None | diff --git a/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md b/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md index accfebe..555d9a9 100644 --- a/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md +++ b/Atomic_Threat_Coverage/Response_Playbooks/RP_0001_phishing_email.md @@ -1,9 +1,9 @@ | Title | RP_0001_phishing_email | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | Response playbook for Phishing Email case. | -| ATT&CK Tactic |
  • [TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)
| -| ATT&CK Technique |
  • [T1193](https://attack.mitre.org/tactics/T1193)
  • [T1192](https://attack.mitre.org/tactics/T1192)
| -| Tags |
  • phishinng
| +| ATT&CK Tactic |
  • [TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)
| +| ATT&CK Technique |
  • [T1193](https://attack.mitre.org/tactics/T1193)
  • [T1192](https://attack.mitre.org/tactics/T1192)
| +| Tags |
  • phishinng
| | Severity | M | | TLP | AMBER | | PAP | WHITE | @@ -12,7 +12,7 @@ | Identification |
  • [RA_0001_identification_get_original_email](../Response_Actions/RA_0001_identification_get_original_email.md)
  • [RA_0002_identification_extract_observables_from_email](../Response_Actions/RA_0002_identification_extract_observables_from_email.md)
  • [RA_0003_identification_make_sure_email_is_a_phising](../Response_Actions/RA_0003_identification_make_sure_email_is_a_phising.md)
  • [RA_0004_identification_analyse_obtained_indicators_of_compromise](../Response_Actions/RA_0004_identification_analyse_obtained_indicators_of_compromise.md)
  • [RA_0005_identification_find_all_phising_attack_victims](../Response_Actions/RA_0005_identification_find_all_phising_attack_victims.md)
  • [RA_0040_identification_put_on_monitoring_compromised_accounts](../Response_Actions/RA_0040_identification_put_on_monitoring_compromised_accounts.md)
| | Containment |
  • [RA_0006_containment_block_domain_on_email](../Response_Actions/RA_0006_containment_block_domain_on_email.md)
  • [RA_0028_containment_block_threat_on_network_level](../Response_Actions/RA_0028_containment_block_threat_on_network_level.md)
| | Eradication |
  • [RA_0010_eradication_delete_malicious_emails](../Response_Actions/RA_0010_eradication_delete_malicious_emails.md)
  • [RA_0011_eradication_revoke_compromised_credentials](../Response_Actions/RA_0011_eradication_revoke_compromised_credentials.md)
  • [RA_0012_eradication_report_phishing_attack_to_external_companies](../Response_Actions/RA_0012_eradication_report_phishing_attack_to_external_companies.md)
| -| Recovery | None | +| Recovery | None | | Lessons Learned |
  • [RA_0013_lessons_learned_develop_incident_report](../Response_Actions/RA_0013_lessons_learned_develop_incident_report.md)
  • [RA_0014_lessons_learned_conduct_lessons_learned_exercise](../Response_Actions/RA_0014_lessons_learned_conduct_lessons_learned_exercise.md)
| ### Workflow diff --git a/dataneeded/DN_0005_7045_windows_service_insatalled.yml b/dataneeded/DN_0005_7045_windows_service_insatalled.yml index 1336bad..d4de61a 100644 --- a/dataneeded/DN_0005_7045_windows_service_insatalled.yml +++ b/dataneeded/DN_0005_7045_windows_service_insatalled.yml @@ -1,8 +1,10 @@ title: DN_0005_7045_windows_service_insatalled description: > A service was installed in the system -loggingpolicy: None -references: None +loggingpolicy: + - None +references: + - None category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0026_5136_windows_directory_service_object_was_modified.yml b/dataneeded/DN_0026_5136_windows_directory_service_object_was_modified.yml index b627b21..754e331 100644 --- a/dataneeded/DN_0026_5136_windows_directory_service_object_was_modified.yml +++ b/dataneeded/DN_0026_5136_windows_directory_service_object_was_modified.yml @@ -1,8 +1,10 @@ title: DN_0026_5136_windows_directory_service_object_was_modified description: > A directory service object was modified -loggingpolicy: LP_0025_windows_audit_directory_service_changes -references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md +loggingpolicy: + - LP_0025_windows_audit_directory_service_changes +references: + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0027_4738_user_account_was_changed.yml b/dataneeded/DN_0027_4738_user_account_was_changed.yml index 13902d1..56f736c 100644 --- a/dataneeded/DN_0027_4738_user_account_was_changed.yml +++ b/dataneeded/DN_0027_4738_user_account_was_changed.yml @@ -1,8 +1,10 @@ title: DN_0027_4738_user_account_was_changed description: > User object is changed -loggingpolicy: LP_0026_windows_audit_user_account_management -references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md +loggingpolicy: + - LP_0026_windows_audit_user_account_management +references: + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0028_4794_directory_services_restore_mode_admin_password_set.yml b/dataneeded/DN_0028_4794_directory_services_restore_mode_admin_password_set.yml index c8569c0..bd796dd 100644 --- a/dataneeded/DN_0028_4794_directory_services_restore_mode_admin_password_set.yml +++ b/dataneeded/DN_0028_4794_directory_services_restore_mode_admin_password_set.yml @@ -1,8 +1,10 @@ title: DN_0028_directory_services_restore_mode_admin_password_set_4794 description: > Directory Services Restore Mode (DSRM) administrator password is changed -loggingpolicy: LP_0026_windows_audit_user_account_management -references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md +loggingpolicy: + - LP_0026_windows_audit_user_account_management +references: + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0029_4661_handle_to_an_object_was_requested.yml b/dataneeded/DN_0029_4661_handle_to_an_object_was_requested.yml index f029f75..c53ae40 100644 --- a/dataneeded/DN_0029_4661_handle_to_an_object_was_requested.yml +++ b/dataneeded/DN_0029_4661_handle_to_an_object_was_requested.yml @@ -5,7 +5,8 @@ description: > loggingpolicy: - LP_0027_windows_audit_directory_service_access - LP_0028_windows_audit_sam -references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md +references: + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0030_4662_operation_was_performed_on_an_object.yml b/dataneeded/DN_0030_4662_operation_was_performed_on_an_object.yml index 088235a..e17ef91 100644 --- a/dataneeded/DN_0030_4662_operation_was_performed_on_an_object.yml +++ b/dataneeded/DN_0030_4662_operation_was_performed_on_an_object.yml @@ -1,8 +1,10 @@ title: DN_0030_4662_operation_was_performed_on_an_object description: > An operation was performed on an Active Directory object -loggingpolicy: LP_0027_windows_audit_directory_service_access -references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md +loggingpolicy: + - LP_0027_windows_audit_directory_service_access +references: + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0031_7036_service_started_stopped.yml b/dataneeded/DN_0031_7036_service_started_stopped.yml index 8136423..d1801c1 100644 --- a/dataneeded/DN_0031_7036_service_started_stopped.yml +++ b/dataneeded/DN_0031_7036_service_started_stopped.yml @@ -1,8 +1,10 @@ title: DN_0031_7036_service_started_stopped description: > Service entered the running/stopped state -loggingpolicy: None -references: http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm +loggingpolicy: + - None +references: + - http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0032_5145_network_share_object_was_accessed_detailed.yml b/dataneeded/DN_0032_5145_network_share_object_was_accessed_detailed.yml index b3bf506..f88f3d9 100644 --- a/dataneeded/DN_0032_5145_network_share_object_was_accessed_detailed.yml +++ b/dataneeded/DN_0032_5145_network_share_object_was_accessed_detailed.yml @@ -2,8 +2,10 @@ title: DN_0032_5145_network_share_object_was_accessed_detailed description: > Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName -loggingpolicy: LP_0029_windows_audit_detailed_file_share -references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md +loggingpolicy: + - LP_0029_windows_audit_detailed_file_share +references: + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/DN_0033_5140_network_share_object_was_accessed.yml b/dataneeded/DN_0033_5140_network_share_object_was_accessed.yml index 84c510e..1f01dfc 100644 --- a/dataneeded/DN_0033_5140_network_share_object_was_accessed.yml +++ b/dataneeded/DN_0033_5140_network_share_object_was_accessed.yml @@ -1,8 +1,10 @@ title: DN_0033_5140_network_share_object_was_accessed description: > Network share object (file or folder) was accessed -loggingpolicy: LP_0030_windows_audit_file_share -references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md +loggingpolicy: + - LP_0030_windows_audit_file_share +references: + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md category: OS Logs platform: Windows type: Windows Log diff --git a/dataneeded/dataneeded.yml.template b/dataneeded/dataneeded.yml.template index dc0b402..5a7f8fb 100644 --- a/dataneeded/dataneeded.yml.template +++ b/dataneeded/dataneeded.yml.template @@ -1,7 +1,8 @@ title: DN_0000_some_name_here description: > Some text description here. It will be merged into one line. -loggingpolicy: LP_0000_some_logging_policy_name_here +loggingpolicy: + - LP_0000_some_logging_policy_name_here references: - http://something.com category: OS Logs # HTTP Logs | DNS Logs | IDS/IPS/NGFW Alerts | Antivirus Alerts | Network Flows | etc diff --git a/enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.yml b/enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.yml index 6f4908d..b2ece09 100644 --- a/enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.yml +++ b/enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.yml @@ -12,7 +12,7 @@ data_to_enrich: - DN_0013_9_windows_sysmon_RawAccessRead - DN_0015_11_windows_sysmon_FileCreate - DN_0016_12_windows_sysmon_RegistryEvent - - DN_0016_13_windows_sysmon_RegistryEvent + - DN_0017_13_windows_sysmon_RegistryEvent - DN_0018_14_windows_sysmon_RegistryEvent - DN_0019_15_windows_sysmon_FileCreateStreamHash - DN_0020_17_windows_sysmon_PipeEvent diff --git a/scripts/init_confluence.py b/scripts/init_confluence.py index 50d4694..e5c9c9b 100755 --- a/scripts/init_confluence.py +++ b/scripts/init_confluence.py @@ -33,7 +33,7 @@ def main(): #print(push_to_confluence(data, url, auth)) push_to_confluence(data, url, auth) - spaces = ["Detection Rules", "Logging Policies", "Data Needed", "Triggering" ,"Response Actions", "Response Playbooks"] + spaces = ["Detection Rules", "Logging Policies", "Data Needed", "Triggering" ,"Response Actions", "Response Playbooks", "Enrichments"] for space in spaces: data = { diff --git a/scripts/init_markdown.sh b/scripts/init_markdown.sh index 6a86d5a..cff2d7e 100755 --- a/scripts/init_markdown.sh +++ b/scripts/init_markdown.sh @@ -8,6 +8,7 @@ DIRECTORIES=( "../Atomic_Threat_Coverage/Triggering" "../Atomic_Threat_Coverage/Response_Actions" "../Atomic_Threat_Coverage/Response_Playbooks" + "../Atomic_Threat_Coverage/Enrichments" ) for DIRECTORY in ${DIRECTORIES[@]}; do diff --git a/scripts/populate_confluence.py b/scripts/populate_confluence.py index a3d0f15..3968395 100755 --- a/scripts/populate_confluence.py +++ b/scripts/populate_confluence.py @@ -25,7 +25,8 @@ HELP_MESSAGE = """Usage: python3 populate_confluence.py [OPTIONS]\n\n\n loggingpolicies_path=../loggingpolicies/ triggering_path=../triggering/atomic-red-team/atomics/ responseactions_path=../response_actions/ - responseplaybooks_path=../response_playbooks/""" + responseplaybooks_path=../response_playbooks/ + enrichments_path=../enrichments/""" def main(**kwargs): @@ -35,6 +36,7 @@ def main(**kwargs): dr_list = glob.glob(kwargs['dr_path']+'*.yml') ra_list = glob.glob(kwargs['ra_path']+'*.yml') rp_list = glob.glob(kwargs['rp_path']+'*.yml') + en_list = glob.glob(kwargs['en_path']+'*.yml') mail = input("Email for access to confluence: ") url = confluence_rest_api_url @@ -83,8 +85,16 @@ def main(**kwargs): print(rp+" failed") pass + for en in en_list: + try: + yaml2confluence_jinja.yaml2confluence_jinja(en, 'EN', url, mail, password) + except: + print(en+" failed") + pass + if __name__ == '__main__': - opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=", "triggering_path=", "responseactions_path=", "responseplaybooks_path=", "help"]) + opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=", + "triggering_path=", "responseactions_path=", "responseplaybooks_path=", "enrichments_path", "help"]) # complex check in case '--help' would be in some path if len(sys.argv) > 1 and '--help' in sys.argv[1] and len(sys.argv[1]) < 7: print(HELP_MESSAGE) @@ -97,5 +107,6 @@ if __name__ == '__main__': 'tg_path': opts_dict.get('--triggering_path', '../triggering/atomic-red-team/atomics/'), 'ra_path': opts_dict.get('--responseactions_path', '../response_actions/'), 'rp_path': opts_dict.get('--responseplaybooks_path', '../response_playbooks/'), + 'en_path': opts_dict.get('--enrichments_path', '../enrichments/'), } main(**kwargs) diff --git a/scripts/populate_markdown.py b/scripts/populate_markdown.py index 6632f9a..dc86dff 100755 --- a/scripts/populate_markdown.py +++ b/scripts/populate_markdown.py @@ -14,7 +14,8 @@ HELP_MESSAGE = """Usage: python3 populate_markdown.py [OPTIONS]\n\n\n loggingpolicies_path=../loggingpolicies/ triggering_path=../triggering/atomic-red-team/atomics/ responseactions_path=../response_actions/ - responseplaybooks_path=../response_playbooks/""" + responseplaybooks_path=../response_playbooks/ + enrichments_path=../enrichments/""" def main(**kwargs): @@ -24,6 +25,8 @@ def main(**kwargs): dr_list = glob.glob(kwargs['dr_path']+'*.yml') ra_list = glob.glob(kwargs['ra_path']+'*.yml') rp_list = glob.glob(kwargs['rp_path']+'*.yml') + en_list = glob.glob(kwargs['en_path']+'*.yml') + for lp in lp_list: try: @@ -63,8 +66,16 @@ def main(**kwargs): print(rp+" failed") pass + for en in en_list: + try: + yaml2markdown_jinja.yaml2markdown_jinja(en, 'EN') + except: + print(en+" failed") + pass + if __name__ == '__main__': - opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=", "triggering_path=", "responseactions_path=", "responseplaybooks_path=", "help"]) + opts, args = getopt.getopt(sys.argv[1:], "", ["detectionrules_path=", "dataneeded_path=", "loggingpolicies_path=", + "triggering_path=", "responseactions_path=", "responseplaybooks_path=", "enrichments_path", "help"]) # complex check in case '--help' would be in some path if len(sys.argv) > 1 and '--help' in sys.argv[1] and len(sys.argv[1]) < 7: print(HELP_MESSAGE) @@ -77,5 +88,6 @@ if __name__ == '__main__': 'tg_path': opts_dict.get('--triggering_path', '../triggering/atomic-red-team/atomics/'), 'ra_path': opts_dict.get('--responseactions_path', '../response_actions/'), 'rp_path': opts_dict.get('--responseplaybooks_path', '../response_playbooks/'), + 'en_path': opts_dict.get('--enrichments_path', '../enrichments/'), } main(**kwargs) diff --git a/scripts/templates/confluence_enrichments_template.md.j2 b/scripts/templates/confluence_enrichments_template.md.j2 new file mode 100644 index 0000000..07510bc --- /dev/null +++ b/scripts/templates/confluence_enrichments_template.md.j2 @@ -0,0 +1,102 @@ +


+ + /wiki/plugins/servlet/confluence/placeholder/macro?definition=e2RldGFpbHN9&locale=en_GB&version=2 + BLOCK + +


+ + + + + + + + + + + + + + +{% if data_needed is defined and data_needed|length %} + + + + +{% endif %} +{% if data_to_enrich is defined and data_to_enrich|length %} + + + + +{% endif %} +{% if references is defined and references|length %} + + + + +{% endif %} + + + + +{% if requirements is defined and requirements|length %} + + + + +{% endif %} +{% if new_fields is defined and new_fields|length %} + + + + +{% endif %} + +
Title{{ title|e}}
Description{{ description|e }}
Data Needed + {%- if data_needed |length > 1 -%}
    {%endif%} + {% for data_name, data_id in data_needed %} + {%- if data_needed |length > 1 -%}
  • {%endif%}{{ data_name }}{%- if data_needed |length > 1 -%}
    • {%endif%} + {% endfor %} + {%- if data_needed |length > 1 -%}
{%endif%} +
+
Data to enrich + {%- if data_to_enrich |length > 1 -%}
    {%endif%} + {% for data_name, data_id in data_to_enrich %} + {%- if data_to_enrich |length > 1 -%}
  • {%endif%}{{ data_name }}{%- if data_to_enrich |length > 1 -%}
    • {%endif%} + {% endfor %} + {%- if data_to_enrich |length > 1 -%}
{%endif%} +
+
References + {%- if references |length > 1 -%}
    {%endif%} + {% for ref in references %} + {%- if references |length > 1 -%}
  • {%endif%}{{ ref }}{%- if references |length > 1 -%}
    • {%endif%} + {% endfor %} + {%- if references |length > 1 -%}
{%endif%} +
+
Author{{ author|e }}
Requirements + {%- if requirements |length > 1 -%}
    {%endif%} + {% for req_name, req_id in requirements %} + {%- if requirements |length > 1 -%}
  • {%endif%}{{ req_name }}{%- if requirements |length > 1 -%}
    • {%endif%} + {% endfor %} + {%- if requirements |length > 1 -%}
{%endif%} +
+
New Fields + {%- if new_fields |length > 1 -%}
    {%endif%} + {% for field in new_fields %} + {%- if new_fields |length > 1 -%}
  • {%endif%}{{ field }}{%- if new_fields |length > 1 -%}
    • {%endif%} + {% endfor %} + {%- if new_fields |length > 1 -%}
{%endif%} +
+
+


+ + +{% if config is defined and config|length %} +

Config

+

+ + + +{% else %} +{% endif %} diff --git a/scripts/templates/markdown_dataneeded_template.md.j2 b/scripts/templates/markdown_dataneeded_template.md.j2 index e6af734..805ded6 100755 --- a/scripts/templates/markdown_dataneeded_template.md.j2 +++ b/scripts/templates/markdown_dataneeded_template.md.j2 @@ -3,10 +3,10 @@ | Description | {{ description }} | | Logging Policy |
    {% for policy in loggingpolicy %}
  • [{{ policy }}](../Logging_Policies/{{policy}}.md)
    • {% endfor %}
| | References |
    {% for ref in references %}
  • [{{ ref }}]({{ ref }})
    • {% endfor %}
| -| Platform | {{ platform }} | -| Type | {{ type }} | -| Channel | {{ channel }} | -| Provider | {{ provider }} | +| Platform | {{ platform }} | +| Type | {{ type }} | +| Channel | {{ channel }} | +| Provider | {{ provider }} | | Fields |
    {% for field in fields %}
  • {{ field }}
    • {% endfor %}
| {% if sample is defined and sample|length %} diff --git a/scripts/templates/markdown_enrichments_template.md.j2 b/scripts/templates/markdown_enrichments_template.md.j2 new file mode 100644 index 0000000..6678cf8 --- /dev/null +++ b/scripts/templates/markdown_enrichments_template.md.j2 @@ -0,0 +1,14 @@ +| Title | {{ title }} | +|:---------------|:-----------------------------------------------------------------------------------------------------------------| +| Description | {{ description }} | +| Data Needed | {%- if data_needed is defined and data_needed|length %}
    {% for data in data_needed %}
  • [{{ data }}](../Data_Needed/{{data}}.md)
    • {% endfor %}
{% else %} None{%endif%} | +| Data to enrich | {%- if data_to_enrich is defined and data_to_enrich|length %}
    {% for data in data_to_enrich %}
  • [{{ data }}](../Data_Needed/{{data}}.md)
    • {% endfor %}
{% else %} None{%endif%} | +| References | {%- if references is defined and references|length %}
    {% for ref in references %}
  • [{{ ref }}]({{ ref }})
    • {% endfor %}
{% else %} None{%endif%} | +| Author | {{ author }} | +| Requirements | {%- if requirements is defined and requirements|length %}
    {% for req in requirements %}
  • [{{ req }}](../Enrichments/{{req}}.md)
    • {% endfor %}
>{% else %} None{%endif%} | +| New fields | {%- if new_fields is defined and new_fields|length %}
    {% for field in new_fields %}
  • {{ field }}
    • {% endfor %}
{% else %} None{%endif%} | + + +### Config + +{{ config }} diff --git a/scripts/templates/markdown_responseaction_template.md.j2 b/scripts/templates/markdown_responseaction_template.md.j2 index b8a75ef..7f5c552 100644 --- a/scripts/templates/markdown_responseaction_template.md.j2 +++ b/scripts/templates/markdown_responseaction_template.md.j2 @@ -4,7 +4,7 @@ | Automation | {%- if automation is defined and automation|length %}
    {% for auto in automation %}
  • {{ auto }}
    • {% endfor %}
{% else %} None{%endif%} | | Author | {{ author }} | | Creation Date | {{ creation_date }} | -| References | {%- if references is defined and references|length %}
    {% for ref in references %}
  • [{{ ref }}]({{ ref }})
    • {% endfor %}{% else %} None{%endif%}
| +| References | {%- if references is defined and references|length %}
    {% for ref in references %}
  • [{{ ref }}]({{ ref }})
    • {% endfor %}
{% else %} None{%endif%} | | Description | {{ description }} | | Linked Response Actions | {%- if linked_ra is defined and linked_ra|length %}
    {% for action in linked_ra %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}
{% else %} None{%endif%} | | Linked Analytics | {%- if linked_analytics is defined and linked_analytics|length %}
    {% for analytic in linked_analytics %}
  • {{ analytic }}
    • {% endfor %}
{% else %} None{%endif%} | diff --git a/scripts/templates/markdown_responseplaybook_template.md.j2 b/scripts/templates/markdown_responseplaybook_template.md.j2 index 380b90b..79e8571 100644 --- a/scripts/templates/markdown_responseplaybook_template.md.j2 +++ b/scripts/templates/markdown_responseplaybook_template.md.j2 @@ -1,19 +1,19 @@ | Title | {{ title }} | |:---------------|:-----------------------------------------------------------------------------------------------------------------| | Description | {{ description }} | -| ATT&CK Tactic | {%- if tactics is defined and tactics|length %}
    {% for tactic_name, tactic_id in tactics %}
  • [{{tactic_id}}: {{tactic_name}}](https://attack.mitre.org/tactics/{{tactic_id}})
    • {% endfor %}
{% else %} None{%endif%} | -| ATT&CK Technique | {%- if techniques is defined and techniques|length %}
    {% for technique in techniques %}
  • [{{technique}}](https://attack.mitre.org/tactics/{{technique}})
    • {% endfor %}
{% else %} None{%endif%} | -| Tags | {%- if other_tags is defined and other_tags|length %}
    {% for tag in other_tags %}
  • {{ tag }}
    • {% endfor %}
{% else %} None{%endif%} | +| ATT&CK Tactic | {%- if tactics is defined and tactics|length %}
    {% for tactic_name, tactic_id in tactics %}
  • [{{tactic_id}}: {{tactic_name}}](https://attack.mitre.org/tactics/{{tactic_id}})
    • {% endfor %}
{% else %} None{%endif%} | +| ATT&CK Technique | {%- if techniques is defined and techniques|length %}
    {% for technique in techniques %}
  • [{{technique}}](https://attack.mitre.org/tactics/{{technique}})
    • {% endfor %}
{% else %} None{%endif%} | +| Tags | {%- if other_tags is defined and other_tags|length %}
    {% for tag in other_tags %}
  • {{ tag }}
    • {% endfor %}
{% else %} None{%endif%} | | Severity | {{ severity }} | | TLP | {{ tlp }} | | PAP | {{ pap }} | | Author | {{ author }} | | Creation Date | {{ creation_date }} | -| Identification | {%- if identification is defined and identification|length %}
    {% for action in identification %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}{% else %} None{%endif%}
| -| Containment | {%- if containment is defined and containment|length %}
    {% for action in containment %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}{% else %} None{%endif%}
| -| Eradication | {%- if eradication is defined and eradication|length %}
    {% for action in eradication %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}{% else %} None{%endif%}
| -| Recovery | {%- if recovery is defined and recovery|length %}
    {% for action in recovery %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}{% else %} None{%endif%}
| -| Lessons Learned | {%- if lessons_learned is defined and lessons_learned|length %}
    {% for action in lessons_learned %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}{% else %} None{%endif%}
| +| Identification | {%- if identification is defined and identification|length %}
    {% for action in identification %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}
{% else %} None{%endif%} | +| Containment | {%- if containment is defined and containment|length %}
    {% for action in containment %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}
{% else %} None{%endif%} | +| Eradication | {%- if eradication is defined and eradication|length %}
    {% for action in eradication %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}
{% else %} None{%endif%} | +| Recovery | {%- if recovery is defined and recovery|length %}
    {% for action in recovery %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}
{% else %} None{%endif%} | +| Lessons Learned | {%- if lessons_learned is defined and lessons_learned|length %}
    {% for action in lessons_learned %}
  • [{{ action }}](../Response_Actions/{{action}}.md)
    • {% endfor %}
{% else %} None{%endif%} | ### Workflow diff --git a/scripts/yaml2confluence_jinja.py b/scripts/yaml2confluence_jinja.py index 07e4d66..ba13f31 100755 --- a/scripts/yaml2confluence_jinja.py +++ b/scripts/yaml2confluence_jinja.py @@ -136,7 +136,9 @@ def yaml2confluence_jinja(file, type, url, mail, password): logging_policies_with_id = [] for lp in logging_policies: - logging_policies_id = str(get_page_id(url, auth, space, lp)) + if lp != "None": + logging_policies_id = str(get_page_id(url, auth, space, lp)) + logging_policies_id = "" lp = (lp, logging_policies_id) logging_policies_with_id.append(lp) @@ -238,6 +240,43 @@ def yaml2confluence_jinja(file, type, url, mail, password): fields.update({'description':fields.get('description').strip()}) content = template.render(fields) + elif type=="enrichment" or type=="EN": + template = env.get_template('confluence_enrichments_template.md.j2') + parent_title="Enrichments" + + data_needed = fields.get('data_needed') + if data_needed: + data_needed_with_id = [] + for dn in data_needed: + data_needed_id = str(get_page_id(url, auth, space, dn)) + dn = (dn, data_needed_id) + data_needed_with_id.append(dn) + + fields.update({'data_needed':data_needed_with_id}) + + data_to_enrich = fields.get('data_to_enrich') + if data_to_enrich: + data_to_enrich_with_id = [] + for de in data_to_enrich: + data_to_enrich_id = str(get_page_id(url, auth, space, de)) + de = (de, data_to_enrich_id) + data_to_enrich_with_id.append(de) + + fields.update({'data_to_enrich':data_to_enrich_with_id}) + + requirements = fields.get('requirements') + if requirements: + requirements_with_id = [] + for req in requirements: + requirements_id = str(get_page_id(url, auth, space, req)) + req = (req, requirements_id) + requirements_with_id.append(req) + + fields.update({'requirements':requirements_with_id}) + + fields.update({'description':fields.get('description').strip()}) + content = template.render(fields) + elif type=="triggering" or type=="TG": template = env.get_template('confluence_trigger_template.html.j2') parent_title="Triggering" diff --git a/scripts/yaml2markdown_jinja.py b/scripts/yaml2markdown_jinja.py index d8180c8..ab97bbf 100755 --- a/scripts/yaml2markdown_jinja.py +++ b/scripts/yaml2markdown_jinja.py @@ -163,6 +163,13 @@ def yaml2markdown_jinja(file, type): fields.update({'description':fields.get('description').strip()}) content = template.render(fields) + elif type=="enrichment" or type=="EN": + template = env.get_template('markdown_enrichments_template.md.j2') + parent_title="Enrichments" + + fields.update({'description':fields.get('description').strip()}) + content = template.render(fields) + elif type=="triggering" or type=="TG": pass