mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-07 01:55:21 +00:00
DataNeeded files for sysmon 2,3,4,5; LoggingPolicy for sysmon network connection
This commit is contained in:
Wydra Mateusz
parent
e06591dcfc
commit
46f09463f2
@ -0,0 +1,52 @@
|
||||
title: DN_0006_process_changed_a_file_creation_time_2
|
||||
description: >
|
||||
Explicit modification of file creation timestamp by a process
|
||||
loggingpolicy:
|
||||
- None
|
||||
references:
|
||||
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002
|
||||
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md
|
||||
platform: Windows
|
||||
type: Windows Log
|
||||
channel: Microsoft-Windows-Sysmon/Operational
|
||||
provider: Microsoft-Windows-Sysmon
|
||||
fields:
|
||||
- EventID
|
||||
- Computer
|
||||
- UtcTime
|
||||
- ProcessGuid
|
||||
- ProcessId
|
||||
- Image
|
||||
- TargetFilename
|
||||
- CreationUtcTime
|
||||
- PreviousCreationUtcTime
|
||||
sample: |
|
||||
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
|
||||
- <System>
|
||||
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
|
||||
<EventID>2</EventID>
|
||||
<Version>4</Version>
|
||||
<Level>4</Level>
|
||||
<Task>2</Task>
|
||||
<Opcode>0</Opcode>
|
||||
<Keywords>0x8000000000000000</Keywords>
|
||||
<TimeCreated SystemTime="2017-07-30T23:26:47.322369100Z" />
|
||||
<EventRecordID>5256170</EventRecordID>
|
||||
<Correlation />
|
||||
<Execution ProcessID="4740" ThreadID="5948" />
|
||||
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
|
||||
<Computer>rfsH.lab.local</Computer>
|
||||
<Security UserID="S-1-5-18" />
|
||||
</System>
|
||||
- <EventData>
|
||||
<Data Name="UtcTime">2017-07-30 23:26:47.321</Data>
|
||||
<Data Name="ProcessGuid">{A23EAE89-EF48-5978-0000-00104832B112}</Data>
|
||||
<Data Name="ProcessId">25968</Data>
|
||||
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
|
||||
<Data Name="TargetFilename">C:\Users\rsmith.LAB\AppData\Local\Google\Chrome\User Data\Default\c61f44ce-5bb0-4efe-acc1-246fa8a3df1d.tmp</Data>
|
||||
<Data Name="CreationUtcTime">2016-11-25 18:21:47.692</Data>
|
||||
<Data Name="PreviousCreationUtcTime">2017-07-30 23:26:47.317</Data>
|
||||
</EventData>
|
||||
</Event>
|
||||
|
||||
|
||||
74
dataneeded/DN_0007_windows_sysmon_network_connection_3.yml
Normal file
74
dataneeded/DN_0007_windows_sysmon_network_connection_3.yml
Normal file
@ -0,0 +1,74 @@
|
||||
title: DN_0007_windows_sysmon_network_connection_3
|
||||
description: >
|
||||
TCP/UDP connections made by a process
|
||||
loggingpolicy:
|
||||
- LP_0005_windows_sysmon_network_connection
|
||||
references:
|
||||
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003
|
||||
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md
|
||||
platform: Windows
|
||||
type: Windows Log
|
||||
channel: Microsoft-Windows-Sysmon/Operational
|
||||
provider: Microsoft-Windows-Sysmon
|
||||
fields:
|
||||
- EventID
|
||||
- Computer
|
||||
- UtcTime
|
||||
- ProcessGuid
|
||||
- ProcessId
|
||||
- Image
|
||||
- User
|
||||
- Protocol
|
||||
- Initiated
|
||||
- SourceIsIpv6
|
||||
- SourceIp
|
||||
- SourceHostname
|
||||
- SourcePort
|
||||
- SourcePortName
|
||||
- DestinationIsIpv6
|
||||
- DestinationIp
|
||||
- DestinationHostname
|
||||
- DestinationPort
|
||||
- DestinationPortName
|
||||
sample: |
|
||||
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
|
||||
- <System>
|
||||
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
|
||||
<EventID>3</EventID>
|
||||
<Version>5</Version>
|
||||
<Level>4</Level>
|
||||
<Task>3</Task>
|
||||
<Opcode>0</Opcode>
|
||||
<Keywords>0x8000000000000000</Keywords>
|
||||
<TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" />
|
||||
<EventRecordID>10953</EventRecordID>
|
||||
<Correlation />
|
||||
<Execution ProcessID="3216" ThreadID="3976" />
|
||||
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
|
||||
<Computer>rfsH.lab.local</Computer>
|
||||
<Security UserID="S-1-5-18" />
|
||||
</System>
|
||||
- <EventData>
|
||||
<Data Name="UtcTime">2017-04-28 22:12:22.557</Data>
|
||||
<Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data>
|
||||
<Data Name="ProcessId">13220</Data>
|
||||
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
|
||||
<Data Name="User">LAB\rsmith</Data>
|
||||
<Data Name="Protocol">tcp</Data>
|
||||
<Data Name="Initiated">true</Data>
|
||||
<Data Name="SourceIsIpv6">false</Data>
|
||||
<Data Name="SourceIp">192.168.1.250</Data>
|
||||
<Data Name="SourceHostname">rfsH.lab.local</Data>
|
||||
<Data Name="SourcePort">3328</Data>
|
||||
<Data Name="SourcePortName">
|
||||
</Data>
|
||||
<Data Name="DestinationIsIpv6">false</Data>
|
||||
<Data Name="DestinationIp">104.130.229.150</Data>
|
||||
<Data Name="DestinationHostname">
|
||||
</Data>
|
||||
<Data Name="DestinationPort">443</Data>
|
||||
<Data Name="DestinationPortName">https</Data>
|
||||
</EventData>
|
||||
</Event>
|
||||
|
||||
|
||||
@ -0,0 +1,44 @@
|
||||
title: DN_0007_windows_sysmon_sysmon_service_state_changed_4
|
||||
description: >
|
||||
Sysmon service changed status
|
||||
loggingpolicy:
|
||||
- None
|
||||
references:
|
||||
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004
|
||||
- https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md
|
||||
platform: Windows
|
||||
type: Windows Log
|
||||
channel: Microsoft-Windows-Sysmon/Operational
|
||||
provider: Microsoft-Windows-Sysmon
|
||||
fields:
|
||||
- EventID
|
||||
- Computer
|
||||
- UtcTime
|
||||
- State
|
||||
sample: |
|
||||
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
|
||||
- <System>
|
||||
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
|
||||
<EventID>4</EventID>
|
||||
<Version>3</Version>
|
||||
<Level>4</Level>
|
||||
<Task>4</Task>
|
||||
<Opcode>0</Opcode>
|
||||
<Keywords>0x8000000000000000</Keywords>
|
||||
<TimeCreated SystemTime="2017-04-28T22:52:20.883759300Z" />
|
||||
<EventRecordID>16761</EventRecordID>
|
||||
<Correlation />
|
||||
<Execution ProcessID="3216" ThreadID="3220" />
|
||||
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
|
||||
<Computer>rfsH.lab.local</Computer>
|
||||
<Security UserID="S-1-5-18" />
|
||||
</System>
|
||||
- <EventData>
|
||||
<Data Name="UtcTime">2017-04-28 22:52:20.883</Data>
|
||||
<Data Name="State">Stopped</Data>
|
||||
<Data Name="Version">6.01</Data>
|
||||
<Data Name="SchemaVersion">3.30</Data>
|
||||
</EventData>
|
||||
</Event>
|
||||
|
||||
|
||||
47
dataneeded/DN_0009_windows_sysmon_process_terminated_5.yml
Normal file
47
dataneeded/DN_0009_windows_sysmon_process_terminated_5.yml
Normal file
@ -0,0 +1,47 @@
|
||||
title: DN_0009_windows_sysmon_process_terminated_5
|
||||
description: >
|
||||
Process has been terminated
|
||||
loggingpolicy:
|
||||
- None
|
||||
references:
|
||||
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005
|
||||
platform: Windows
|
||||
type: Windows Log
|
||||
channel: Microsoft-Windows-Sysmon/Operational
|
||||
provider: Microsoft-Windows-Sysmon
|
||||
fields:
|
||||
- EventID
|
||||
- Computer
|
||||
- UtcTime
|
||||
- ProcessGuid
|
||||
- ProcessId
|
||||
- Image
|
||||
sample: |
|
||||
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
|
||||
<System>
|
||||
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
|
||||
<EventID>5</EventID>
|
||||
<Version>3</Version>
|
||||
<Level>4</Level>
|
||||
<Task>5</Task>
|
||||
<Opcode>0</Opcode>
|
||||
<Keywords>0x8000000000000000</Keywords>
|
||||
<TimeCreated SystemTime="2017-04-28T22:13:20.896253900Z" />
|
||||
<EventRecordID>11235</EventRecordID>
|
||||
<Correlation />
|
||||
<Execution ProcessID="3216" ThreadID="3964" />
|
||||
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
|
||||
<Computer>rfsH.lab.local</Computer>
|
||||
<Security UserID="S-1-5-18" />
|
||||
</System>
|
||||
<EventData>
|
||||
<Data Name="UtcTime">2017-04-28 22:13:20.895</Data>
|
||||
<Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-001009665D00}</Data>
|
||||
<Data Name="ProcessId">12684</Data>
|
||||
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
|
||||
</EventData>
|
||||
</Event>
|
||||
|
||||
|
||||
|
||||
|
||||
@ -0,0 +1,17 @@
|
||||
title: LP_0005_windows_sysmon_network_connection
|
||||
default: Not configured
|
||||
volume: High
|
||||
description: >
|
||||
The network connection event logs TCP/UDP connections on the machine.
|
||||
It is disabled by default. Each connection is linked to a process
|
||||
through the ProcessId and ProcessGUID fields. The event also contains
|
||||
the source and destination host names IP addresses, port numbers and IPv6 status.
|
||||
eventID:
|
||||
- 3
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
|
||||
configuration: |
|
||||
Sysmon event id 3 is disabled by default.
|
||||
It can be enabled by specyfying -n option
|
||||
However due to high level of produced logs it should be filtred with configuration file
|
||||
Sample configuration might be found here: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
|
||||
Loading…
Reference in New Issue
Block a user