valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ennrichments and DNs updated

Browse Source
This commit is contained in:
Yugoslavskiy Daniil 2019-02-07 02:39:24 +01:00
parent cc1128f893
commit 3c50efba2c
36 changed files with 669 additions and 648 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
dataneeded/DN_0001_4688_windows_process_creation.yml
View File

@ -1,7 +1,7 @@
title: DN_0001_4688_windows_process_creation
description: >
Windows process creation log, not including command line.
loggingpolicy:
Windows process creation log, not including command line
loggingpolicy:
- LP_0001_windows_audit_process_creation
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md
@ -19,9 +19,9 @@ fields:
- ProcessId
- ThreadID
- ProcessName
- NewProcessName # redundant, inconsistent
- Image # redundant, inconsistent
- ParentImage # redundant, inconsistent
- NewProcessName # redundant
- Image # redundant
- ParentImage # redundant
- ParentProcessPid
- ParentProcessName
- MandatoryLabel
@ -29,36 +29,36 @@ fields:
- LogonId
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>

76
dataneeded/DN_0002_4688_windows_process_creation_with_commandline.yml
View File

@ -1,6 +1,6 @@
title: DN_0002_4688_windows_process_creation_with_commandline
description: >
Windows process creation log, including command line.
Windows process creation log, including command line
loggingpolicy:
- LP_0001_windows_audit_process_creation
- LP_0002_windows_audit_process_creation_with_commandline
@ -20,13 +20,13 @@ fields:
- ProcessId
- ThreadID
- ProcessName
- NewProcessName # redundant, inconsistent
- Image # redundant, inconsistent
- NewProcessName # redundant
- Image # redundant
- CommandLine
- ProcessCommandLine # redundant, inconsistent
- ProcesssCommandLine # redundant, inconsistent
- ProcessCommandLine # redundant
- ProcesssCommandLine # redundant
- ParentProcessPid
- ParentImage # redundant, inconsistent
- ParentImage # redundant
- ParentProcessName
- MandatoryLabel
- TokenElevationType
@ -34,36 +34,36 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:34:57.910980700Z" />
<EventRecordID>3542561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:34:57.910980700Z" />
<EventRecordID>3542561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-540864798-2899685673-3651185163-500</Data>
<Data Name="SubjectUserName">user1</Data>
<Data Name="SubjectDomainName">atc-win-10</Data>
<Data Name="SubjectLogonId">0xcdd96</Data>
<Data Name="NewProcessId">0x12d0</Data>
<Data Name="NewProcessName">C:\Users\user1\Desktop\PSTools\PsExec64.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x21d4</Data>
<Data Name="CommandLine">PsExec64.exe -i -s -d cmd</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-21-540864798-2899685673-3651185163-500</Data>
<Data Name="SubjectUserName">user1</Data>
<Data Name="SubjectDomainName">atc-win-10</Data>
<Data Name="SubjectLogonId">0xcdd96</Data>
<Data Name="NewProcessId">0x12d0</Data>
<Data Name="NewProcessName">C:\Users\user1\Desktop\PSTools\PsExec64.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x21d4</Data>
<Data Name="CommandLine">PsExec64.exe -i -s -d cmd</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
</EventData>
</Event>

6
dataneeded/DN_0003_1_windows_sysmon_process_creation.yml
View File

@ -1,6 +1,6 @@
title: DN_0003_1_windows_sysmon_process_creation
description: >
Windows process creation log, including command line.
Windows process creation log, including command line
loggingpolicy:
- LP_0003_windows_sysmon_process_creation
references:
@ -35,7 +35,7 @@ fields:
- ParentCommandLine
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
@ -51,7 +51,7 @@ sample: |
<Computer>test.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:08:22.025</Data>
<Data Name="ProcessGuid">{A23EAE89-BD56-5903-0000-0010E9D95E00}</Data>
<Data Name="ProcessId">6228</Data>

13
dataneeded/DN_0004_4624_windows_account_logon.yml
View File

@ -1,6 +1,6 @@
title: DN_0004_4624_windows_account_logon
description: >
An account was successfully logged on.
An account was successfully logged on
loggingpolicy:
- LP_0004_windows_audit_logon
references:
@ -12,9 +12,9 @@ channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- AccountName # redundant, inconsistent
- AccountName # redundant
- Hostname
- Computer # redundant, inconsistent
- Computer # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
@ -60,7 +60,7 @@ sample: |
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security />
</System>
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
@ -89,6 +89,5 @@ sample: |
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
</EventData>
</Event>

2
dataneeded/DN_0005_7045_windows_service_insatalled.yml
View File

@ -1,6 +1,6 @@
title: DN_0005_7045_windows_service_insatalled
description: >
A service was installed in the system.
A service was installed in the system
loggingpolicy: None
references: None
category: OS Logs

6
dataneeded/DN_0006_2_windows_sysmon_process_changed_a_file_creation_time.yml
View File

@ -23,7 +23,7 @@ fields:
- PreviousCreationUtcTime
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>2</EventID>
<Version>4</Version>
@ -38,8 +38,8 @@ sample: |
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
</System>
- <EventData>
<Data Name="UtcTime">2017-07-30 23:26:47.321</Data>
<Data Name="ProcessGuid">{A23EAE89-EF48-5978-0000-00104832B112}</Data>
<Data Name="ProcessId">25968</Data>

12
dataneeded/DN_0007_3_windows_sysmon_network_connection.yml
View File

@ -33,7 +33,7 @@ fields:
- DestinationPortName
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>3</EventID>
<Version>5</Version>
@ -49,7 +49,7 @@ sample: |
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:12:22.557</Data>
<Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
<Data Name="ProcessId">13220</Data>
@ -61,15 +61,13 @@ sample: |
<Data Name="SourceIp">192.168.1.250</Data>
<Data Name="SourceHostname">rfsH.lab.local</Data>
<Data Name="SourcePort">3328</Data>
<Data Name="SourcePortName">
</Data>
<Data Name="SourcePortName"></Data>
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">104.130.229.150</Data>
<Data Name="DestinationHostname">
</Data>
<Data Name="DestinationHostname"></Data>
<Data Name="DestinationPort">443</Data>
<Data Name="DestinationPortName">https</Data>
</EventData>
</Event>
</Event>

44
dataneeded/DN_0008_4_windows_sysmon_sysmon_service_state_changed.yml
View File

@ -18,28 +18,26 @@ fields:
- State
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:52:20.883759300Z" />
<EventRecordID>16761</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3220" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:52:20.883759300Z" />
<EventRecordID>16761</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3220" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:52:20.883</Data>
<Data Name="State">Stopped</Data>
<Data Name="Version">6.01</Data>
<Data Name="SchemaVersion">3.30</Data>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:52:20.883</Data>
<Data Name="State">Stopped</Data>
<Data Name="Version">6.01</Data>
<Data Name="SchemaVersion">3.30</Data>
</EventData>
</Event>
</Event>

42
dataneeded/DN_0009_5_windows_sysmon_process_terminated.yml
View File

@ -18,27 +18,27 @@ fields:
- ProcessId
- Image
sample: |
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:13:20.896253900Z" />
<EventRecordID>11235</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:13:20.896253900Z" />
<EventRecordID>11235</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-04-28 22:13:20.895</Data>
<Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-001009665D00}</Data>
<Data Name="ProcessId">12684</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:13:20.895</Data>
<Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-001009665D00}</Data>
<Data Name="ProcessId">12684</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
</EventData>
</Event>

53
dataneeded/DN_0010_6_windows_sysmon_driver_loaded.yml
View File

@ -1,6 +1,8 @@
title: DN_0010_6_windows_sysmon_driver_loaded
description: >
The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information
The driver loaded events provides information about a driver being loaded on
the system. The configured hashes are provided as well as signature
information
loggingpolicy:
- None
references:
@ -23,29 +25,28 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>

9
dataneeded/DN_0011_7_windows_sysmon_image_loaded.yml
View File

@ -1,6 +1,6 @@
title: DN_0011_7_windows_sysmon_image_loaded
description: >
The image loaded event logs when a module is loaded in a specific process.
The image loaded event logs when a module is loaded in a specific process
loggingpolicy:
- LP_0006_windows_sysmon_image_loaded
references:
@ -25,7 +25,7 @@ fields:
- SignatureStatus
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
@ -41,7 +41,7 @@ sample: |
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
<Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
<Data Name="ProcessId">12536</Data>
@ -52,5 +52,4 @@ sample: |
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
</Event>

56
dataneeded/DN_0012_8_windows_sysmon_CreateRemoteThread.yml
View File

@ -1,6 +1,7 @@
title: DN_0012_8_windows_sysmon_CreateRemoteThread
description: >
The CreateRemoteThread event detects when a process creates a thread in another process.
The CreateRemoteThread event detects when a process creates a thread in
another process
loggingpolicy:
- None
references:
@ -27,34 +28,33 @@ fields:
- StartFunction
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
</EventData>
</Event>

10
dataneeded/DN_0013_9_windows_sysmon_RawAccessRead.yml
View File

@ -1,6 +1,7 @@
title: DN_0013_9_windows_sysmon_RawAccessRead
description: >
The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation.
The RawAccessRead event detects when a process conducts reading operations
from the drive using the \\.\ denotation
loggingpolicy:
- None
references:
@ -21,7 +22,7 @@ fields:
- Device
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>9</EventID>
<Version>2</Version>
@ -37,12 +38,11 @@ sample: |
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
<Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>
</Event>

11
dataneeded/DN_0014_10_windows_sysmon_ProcessAccess.yml
View File

@ -1,6 +1,8 @@
title: DN_0014_10_windows_sysmon_ProcessAccess
description: >
The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process.
The process accessed event reports when a process opens another process, an
operation thats often followed by information queries or reading and writing
the address space of the target process
loggingpolicy:
- LP_0007_windows_sysmon_ProcessAccess
references:
@ -26,7 +28,7 @@ fields:
- CallTrace
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>10</EventID>
<Version>3</Version>
@ -42,7 +44,7 @@ sample: |
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 14:28:35.212</Data>
<Data Name="SourceProcessGUID">{9683FBB1-B470-5C51-0000-0010521EBB00}</Data>
@ -55,5 +57,4 @@ sample: |
<Data Name="GrantedAccess">0x1010</Data>
<Data Name="CallTrace">C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471</Data>
</EventData>
</Event>
</Event>

12
dataneeded/DN_0015_11_windows_sysmon_FileCreate.yml
View File

@ -1,6 +1,9 @@
title: DN_0015_11_windows_sysmon_FileCreate
description: >
File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
File create operations are logged when a file is created or overwritten. This
event is useful for monitoring autostart locations, like the Startup folder,
as well as temporary and download directories, which are common places
malware drops during initial infection
loggingpolicy:
- LP_0008_windows_sysmon_FileCreate
references:
@ -22,7 +25,7 @@ fields:
- CreationUtcTime
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
@ -38,7 +41,7 @@ sample: |
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 15:08:51.287</Data>
<Data Name="ProcessGuid">{9683FBB1-9A3F-5C51-0000-0010EB030000}</Data>
@ -47,5 +50,4 @@ sample: |
<Data Name="TargetFilename">C:\Windows\PSEXESVC.exe</Data>
<Data Name="CreationUtcTime">2019-01-30 15:08:51.287</Data>
</EventData>
</Event>
</Event>

11
dataneeded/DN_0016_12_windows_sysmon_RegistryEvent.yml
View File

@ -1,6 +1,8 @@
title: DN_0016_12_windows_sysmon_RegistryEvent
description: >
Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications.
Registry key and value create and delete operations map to this event type,
which can be useful for monitoring for changes to Registry autostart
locations, or specific malware registry modifications
loggingpolicy:
- None
references:
@ -22,7 +24,7 @@ fields:
- TargetObject
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
@ -38,7 +40,7 @@ sample: |
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">DeleteKey</Data>
<Data Name="UtcTime">2019-01-30 17:05:28.023</Data>
@ -47,5 +49,4 @@ sample: |
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data>
</EventData>
</Event>
</Event>

10
dataneeded/DN_0017_13_windows_sysmon_RegistryEvent.yml
View File

@ -1,6 +1,7 @@
title: DN_0016_13_windows_sysmon_RegistryEvent
description: >
This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD.
This Registry event type identifies Registry value modifications. The event
records the value written for Registry values of type DWORD and QWORD
loggingpolicy:
- None
references:
@ -23,7 +24,7 @@ fields:
- Details
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
@ -39,7 +40,7 @@ sample: |
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2019-01-30 17:06:11.673</Data>
@ -49,5 +50,4 @@ sample: |
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1</Data>
<Data Name="Details">C:\Program Files\Sublime Text 3\sublime_text.exe</Data>
</EventData>
</Event>
</Event>

54
dataneeded/DN_0018_14_windows_sysmon_RegistryEvent.yml
View File

@ -1,6 +1,7 @@
title: DN_0018_14_windows_sysmon_RegistryEvent
description: >
Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed.
Registry key and value rename operations map to this event type, recording
the new name of the key or value that was renamed
loggingpolicy:
- None
references:
@ -23,31 +24,30 @@ fields:
- Details
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
</EventData>
</Event>
</Event>

55
dataneeded/DN_0019_15_windows_sysmon_FileCreateStreamHash.yml
View File

@ -1,6 +1,8 @@
title: DN_0019_15_windows_sysmon_FileCreateStreamHash
description: >
This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream.
This event logs when a named file stream is created, and it generates events
that log the hash of the contents of the file to which the stream is assigned
(the unnamed stream), as well as the contents of the named stream
loggingpolicy:
- None
references:
@ -24,30 +26,29 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>

50
dataneeded/DN_0020_17_windows_sysmon_PipeEvent.yml
View File

@ -1,6 +1,7 @@
title: DN_0020_17_windows_sysmon_PipeEvent
description: >
This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication.
This event generates when a named pipe is created. Malware often uses named
pipes for interprocess communication
loggingpolicy:
- LP_0009_windows_sysmon_PipeEvent
references:
@ -22,28 +23,27 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.396695400Z" />
<EventRecordID>46617</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.396695400Z" />
<EventRecordID>46617</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.396</Data>
<Data Name="ProcessGuid">{9683FBB1-919E-5C59-0000-0010A0E53B00}</Data>
<Data Name="ProcessId">7128</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">C:\windows\PSEXESVC.exe</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.396</Data>
<Data Name="ProcessGuid">{9683FBB1-919E-5C59-0000-0010A0E53B00}</Data>
<Data Name="ProcessId">7128</Data>
<Data Name="PipeName">\PSEXESVC-ATC-WIN-7-2728-stdin</Data>
<Data Name="Image">C:\windows\PSEXESVC.exe</Data>
</EventData>
</Event>

50
dataneeded/DN_0021_18_windows_sysmon_PipeEvent.yml
View File

@ -1,6 +1,7 @@
title: DN_0021_18_windows_sysmon_PipeEvent
description: >
This event logs when a named pipe connection is made between a client and a server.
This event logs when a named pipe connection is made between a client and a
server
loggingpolicy:
- LP_0009_windows_sysmon_PipeEvent
references:
@ -22,28 +23,27 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>18</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.457379300Z" />
<EventRecordID>46620</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>tdl-win-10.tdl.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>18</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:37:34.457379300Z" />
<EventRecordID>46620</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>tdl-win-10.tdl.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.455</Data>
<Data Name="ProcessGuid">{9683FBB1-8B5F-5C59-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="PipeName">\PSEXESVC-TDL-WIN-7-2728-stdin</Data>
<Data Name="Image">System</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 13:37:34.455</Data>
<Data Name="ProcessGuid">{9683FBB1-8B5F-5C59-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="PipeName">\PSEXESVC-TDL-WIN-7-2728-stdin</Data>
<Data Name="Image">System</Data>
</EventData>
</Event>

54
dataneeded/DN_0022_19_windows_sysmon_WmiEvent.yml
View File

@ -1,6 +1,7 @@
title: DN_0022_19_windows_sysmon_WmiEvent
description: >
When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.
When a WMI event filter is registered, which is a method used by malware to
execute, this event logs the WMI namespace, filter name and filter expression
loggingpolicy:
- LP_0010_windows_sysmon_WmiEvent
references:
@ -24,30 +25,29 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>

54
dataneeded/DN_0023_20_windows_sysmon_WmiEvent.yml
View File

@ -1,6 +1,7 @@
title: DN_0023_20_windows_sysmon_WmiEvent
description: >
This event logs the registration of WMI consumers, recording the consumer name, log, and destination.
This event logs the registration of WMI consumers, recording the consumer
name, log, and destination
loggingpolicy:
- LP_0010_windows_sysmon_WmiEvent
references:
@ -24,30 +25,29 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>

52
dataneeded/DN_0024_21_windows_sysmon_WmiEvent.yml
View File

@ -1,6 +1,7 @@
title: DN_0024_21_windows_sysmon_WmiEvent
description: >
When a consumer binds to a filter, this event logs the consumer name and filter path.
When a consumer binds to a filter, this event logs the consumer name and
filter path
loggingpolicy:
- LP_0010_windows_sysmon_WmiEvent
references:
@ -23,29 +24,28 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>

66
dataneeded/DN_0026_5136_windows_directory_service_object_was_modified.yml
View File

@ -1,6 +1,6 @@
title: DN_0026_5136_windows_directory_service_object_was_modified
description: >
A directory service object was modified.
A directory service object was modified
loggingpolicy: LP_0025_windows_audit_directory_service_changes
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md
category: OS Logs
@ -31,36 +31,36 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>

89
dataneeded/DN_0027_4738_user_account_was_changed.yml
View File

@ -1,6 +1,6 @@
title: DN_0027_4738_user_account_was_changed
description: >
User object is changed.
User object is changed
loggingpolicy: LP_0026_windows_audit_user_account_management
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md
category: OS Logs
@ -42,48 +42,47 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>

49
dataneeded/DN_0028_4794_directory_services_restore_mode_admin_password_set.yml
View File

@ -1,6 +1,6 @@
title: DN_0028_directory_services_restore_mode_admin_password_set_4794
description: >
Directory Services Restore Mode (DSRM) administrator password is changed.
Directory Services Restore Mode (DSRM) administrator password is changed
loggingpolicy: LP_0026_windows_audit_user_account_management
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md
category: OS Logs
@ -22,28 +22,27 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>

71
dataneeded/DN_0029_4661_handle_to_an_object_was_requested.yml
View File

@ -1,7 +1,7 @@
title: DN_0029_4661_handle_to_an_object_was_requested
description: >
A handle was requested for either an Active Directory object
or a Security Account Manager (SAM) object.
A handle was requested for either an Active Directory object or a Security
Account Manager (SAM) object
loggingpolicy:
- LP_0027_windows_audit_directory_service_access
- LP_0028_windows_audit_sam
@ -35,38 +35,37 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data>
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data>
</EventData>
</Event>

65
dataneeded/DN_0030_4662_operation_was_performed_on_an_object.yml
View File

@ -1,6 +1,6 @@
title: DN_0030_4662_operation_was_performed_on_an_object
description: >
An operation was performed on an Active Directory object.
An operation was performed on an Active Directory object
loggingpolicy: LP_0027_windows_audit_directory_service_access
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md
category: OS Logs
@ -30,36 +30,35 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>

2
dataneeded/DN_0031_7036_service_started_stopped.yml
View File

@ -1,6 +1,6 @@
title: DN_0031_7036_service_started_stopped
description: >
Service entered the running/stopped state.
Service entered the running/stopped state
loggingpolicy: None
references: http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm
category: OS Logs

64
dataneeded/DN_0032_5145_network_share_object_was_accessed_detailed.yml
View File

@ -1,6 +1,7 @@
title: DN_0032_5145_network_share_object_was_accessed_detailed
description: >
Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName.
Network share object (file or folder) was accessed. Detailed log with
AccessReason and RelativeTargetName
loggingpolicy: LP_0029_windows_audit_detailed_file_share
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md
category: OS Logs
@ -29,35 +30,34 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>

59
dataneeded/DN_0033_5140_network_share_object_was_accessed.yml
View File

@ -1,6 +1,6 @@
title: DN_0033_5140_network_share_object_was_accessed
description: >
Network share object (file or folder) was accessed.
Network share object (file or folder) was accessed
loggingpolicy: LP_0030_windows_audit_file_share
references: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md
category: OS Logs
@ -27,33 +27,32 @@ fields:
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>

2
enrichments/EN_0001_cache_sysmon_event_id_1_info.yml
View File

@ -1,6 +1,8 @@
title: EN_0001_cache_sysmon_event_id_1_info
description: >
Cache Sysmon Event ID 1 (Process Create) data for further enrichments.
data_needed:
- DN_0003_1_windows_sysmon_process_creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
author: Teymur Kheirkhabarov

4
enrichments/EN_0002_enrich_sysmon_event_id_1_with_parent_info.yml
View File

@ -2,6 +2,10 @@ title: EN_0002_enrich_sysmon_event_id_1_with_parent_info
description: >
Enrich Sysmon Event ID 1 (Process Create) with Parent Integrity Level,
Parent User and Parent of Parent Image fields.
data_needed:
- DN_0003_1_windows_sysmon_process_creation
data_to_enrich:
- DN_0003_1_windows_sysmon_process_creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
author: Teymur Kheirkhabarov

23
enrichments/EN_0003_enrich_other_sysmon_events_with_event_id_1_data.yml
View File

@ -2,16 +2,31 @@ title: EN_0003_enrich_other_sysmon_events_with_event_id_1_data
description: >
Enrich other Sysmon Events with data from Events ID 1 (Process Create)
— Integrity Level, User, Parent Image and CommandLine fields.
data_needed:
- DN_0003_1_windows_sysmon_process_creation
data_to_enrich:
- DN_0006_2_windows_sysmon_process_changed_a_file_creation_time
- DN_0007_3_windows_sysmon_network_connection
- DN_0009_5_windows_sysmon_process_terminated
- DN_0011_7_windows_sysmon_image_loaded
- DN_0013_9_windows_sysmon_RawAccessRead
- DN_0015_11_windows_sysmon_FileCreate
- DN_0016_12_windows_sysmon_RegistryEvent
- DN_0016_13_windows_sysmon_RegistryEvent
- DN_0018_14_windows_sysmon_RegistryEvent
- DN_0019_15_windows_sysmon_FileCreateStreamHash
- DN_0020_17_windows_sysmon_PipeEvent
- DN_0021_18_windows_sysmon_PipeEvent
references:
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
author: Teymur Kheirkhabarov
requirements:
- EN_0001_cache_sysmon_event_id_1_info
new_fields:
- event_data.IntegrityLevel # redundant, inconsistent
- event_data.User # redundant, inconsistent
- event_data.CommandLine # redundant, inconsistent
- event_data.ParentImage # redundant, inconsistent
- event_data.IntegrityLevel # redundant
- event_data.User # redundant
- event_data.CommandLine # redundant
- event_data.ParentImage # redundant
- IntegrityLevel
- User
- CommandLine

11
enrichments/enrichment.yml.template
View File

@ -1,11 +1,16 @@
title: EN_0000_some_name_here
description: >
Some text description here. It will be merged into one line.
Some text description here. It will be merged into one line
data_needed: # data needed to do enrichment
- DN_0002_something
data_to_enrich: # data which will be enriched
- DN_0001_something
references:
- http://something.com
author: Some Author
requirements: name of other enrichment if needed # Optional
new_fields: # optional
requirements: # name of other enrichment if needed
- EN_0001_something
new_fields: # optional
- hostname
- ip_address
- username