resolve conflicts

This commit is contained in:
Yugoslavskiy Daniil 2020-11-04 15:37:06 +01:00
commit 7ffa14d1c4
994 changed files with 115497 additions and 233 deletions

View File

@ -0,0 +1,8 @@
| Title | CU_0001_TESTCUSTOMER |
|:-------------------|:--------------------|
| **Customer Name** | TESTCUSTOMER |
| **Description** | Some text description here. It will be merged into one line. |
| **Use Cases** | <ul><li>[UC_0001_TESTUSECASE](../Use_Cases/UC_0001_TESTUSECASE.md)</li><li>[UC_0002_INITIALACCESS](../Use_Cases/UC_0002_INITIALACCESS.md)</li></ul> |
| **Data Needed** |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| **Detection Rule** | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li><li>[CMSTP Execution](../Detection_Rules/sysmon_cmstp_execution.md)</li><li>[Exploit for CVE-2015-1641](../Detection_Rules/win_exploit_cve_2015_1641.md)</li><li>[Exploit for CVE-2017-0261](../Detection_Rules/win_exploit_cve_2017_0261.md)</li><li>[Dridex Process Pattern](../Detection_Rules/win_malware_dridex.md)</li></ul> |

View File

@ -0,0 +1,8 @@
| Title | CU_0002_TESTCUSTOMER2 |
|:-------------------|:--------------------|
| **Customer Name** | TESTCUSTOMER2 |
| **Description** | Some text description here. It will be merged into one line. |
| **Use Cases** | <ul></ul> |
| **Data Needed** |<ul><li>[DN_0001_4688_windows_process_creation](../Data_Needed/DN_0001_4688_windows_process_creation.md)</li><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| **Detection Rule** | <ul><li>[SquiblyTwo](../Detection_Rules/win_bypass_squiblytwo.md)</li><li>[Cmdkey Cached Credentials Recon](../Detection_Rules/win_cmdkey_recon.md)</li><li>[CMSTP UAC Bypass via COM Object Access](../Detection_Rules/win_cmstp_com_object_access.md)</li></ul> |

View File

@ -0,0 +1,58 @@
| Title | DN_0001_4688_windows_process_creation |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows process creation log, not including command line |
| **Logging Policy** | <ul><li>[LP0001_windows_audit_process_creation](../Logging_Policies/LP0001_windows_audit_process_creation.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>NewProcessId</li><li>NewProcessName</li><li>TokenElevationType</li><li>ProcessId</li><li>ProcessPid</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>ParentProcessName</li><li>MandatoryLabel</li><li>ProcessName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,59 @@
| Title | DN_0002_4688_windows_process_creation_with_commandline |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows process creation log, including command line |
| **Logging Policy** | <ul><li>[LP0001_windows_audit_process_creation](../Logging_Policies/LP0001_windows_audit_process_creation.md)</li><li>[LP0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>NewProcessId</li><li>ProcessId</li><li>NewProcessName</li><li>ProcessName</li><li>NewProcessName</li><li>Image</li><li>TokenElevationType</li><li>CommandLine</li><li>ProcessCommandLine</li><li>ProcesssCommandLine</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>ParentProcessName</li><li>ParentImage</li><li>MandatoryLabel</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:34:57.910980700Z" />
<EventRecordID>3542561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-540864798-2899685673-3651185163-500</Data>
<Data Name="SubjectUserName">user1</Data>
<Data Name="SubjectDomainName">atc-win-10</Data>
<Data Name="SubjectLogonId">0xcdd96</Data>
<Data Name="NewProcessId">0x12d0</Data>
<Data Name="NewProcessName">C:\Users\user1\Desktop\PSTools\PsExec64.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x21d4</Data>
<Data Name="CommandLine">PsExec64.exe -i -s -d cmd</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data>
<Data Name="MandatoryLabel">S-1-16-12288</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,66 @@
| Title | DN_0003_1_windows_sysmon_process_creation |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows process creation log, including command line |
| **Logging Policy** | <ul><li>[LP0003_windows_sysmon_process_creation](../Logging_Policies/LP0003_windows_sysmon_process_creation.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>UtcTime</li><li>Username</li><li>User</li><li>ProcessGuid</li><li>ProcessId</li><li>ProcessName</li><li>CommandLine</li><li>LogonGuid</li><li>LogonId</li><li>TerminalSessionid</li><li>IntegrityLevel</li><li>Hashes</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li><li>Image</li><li>ParentImage</li><li>ParentProcessGuid</li><li>ParentProcessId</li><li>ParentProcessName</li><li>ParentCommandLine</li><li>OriginalFileName</li><li>FileVersion</li><li>Description</li><li>Product</li><li>Company</li><li>CurrentDirectory</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-07-09T03:44:58.290314900Z" />
<EventRecordID>4219</EventRecordID>
<Correlation />
<Execution ProcessID="1976" ThreadID="3196" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-07-09 03:44:58.036</Data>
<Data Name="ProcessGuid">{717CFEC0-0DBA-5D24-0000-001087BC0800}</Data>
<Data Name="ProcessId">5500</Data>
<Data Name="Image">C:\Windows\System32\conhost.exe</Data>
<Data Name="FileVersion">10.0.14393.0 (rs1_release.160715-1616)</Data>
<Data Name="Description">Console Window Host</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">CONHOST.EXE</Data>
<Data Name="CommandLine">\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1</Data>
<Data Name="CurrentDirectory">C:\Windows</Data>
<Data Name="User">atc-win-10\yugoslavskiy</Data>
<Data Name="LogonGuid">{717CFEC0-0DA0-5D24-0000-0020D0F50300}</Data>
<Data Name="LogonId">0x3f5d0</Data>
<Data Name="TerminalSessionId">1</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">MD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0</Data>
<Data Name="ParentProcessGuid">{717CFEC0-0DB9-5D24-0000-0010C9BB0800}</Data>
<Data Name="ParentProcessId">4412</Data>
<Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data>
<Data Name="ParentCommandLine">"C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\yugoslavskiy\AppData\Local\Microsoft\OneDrive\19.086.0502.0006"</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,71 @@
| Title | DN_0004_4624_windows_account_logon |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An account was successfully logged on |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetLogonId</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>LogonGuid</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li><li>ImpersonationLevel</li><li>RestrictedAdminMode</li><li>TargetOutboundUserName</li><li>TargetOutboundDomainName</li><li>VirtualAccount</li><li>TargetLinkedLogonId</li><li>ElevatedToken</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z" />
<EventRecordID>211</EventRecordID>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}" />
<Execution ProcessID="716" ThreadID="760" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,49 @@
| Title | DN_0005_7045_windows_service_insatalled |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A service was installed in the system |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[None](None)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | Service Control Manager |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>ProcessID</li><li>ServiceName</li><li>ImagePath</li><li>ServiceFileName</li><li>ServiceType</li><li>StartType</li><li>AccountName</li><li>UserSid</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2017-07-02T15:48:56.256752900Z" />
<EventRecordID>762</EventRecordID>
<Correlation />
<Execution ProcessID="568" ThreadID="1792" />
<Channel>System</Channel>
<Computer>DESKTOP</Computer>
<Security UserID="S-1-5-21-2073602604-586167410-2329295167-1001" />
</System>
- <EventData>
<Data Name="ServiceName">sshd</Data>
<Data Name="ImagePath">C:\Program Files\OpenSSH\sshd.exe</Data>
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSystem</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0006_2_windows_sysmon_process_changed_a_file_creation_time |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Explicit modification of file creation timestamp by a process |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90002)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-2.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>PreviousCreationUtcTime</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>2</EventID>
<Version>4</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-10T15:08:56.961102400Z" />
<EventRecordID>6994</EventRecordID>
<Correlation />
<Execution ProcessID="2940" ThreadID="3576" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-10 15:08:56.954</Data>
<Data Name="ProcessGuid">{9683FBB1-8164-5C0E-0000-00104B532800}</Data>
<Data Name="ProcessId">2788</Data>
<Data Name="Image">C:\Users\user1\AppData\Local\Temp\chocolatey\wireshark\2.6.5\Wireshark-win64-2.6.5.exe</Data>
<Data Name="TargetFilename">C:\Program Files\Wireshark\user-guide.chm</Data>
<Data Name="CreationUtcTime">2018-11-28 18:37:08.000</Data>
<Data Name="PreviousCreationUtcTime">2018-12-10 15:08:56.486</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,62 @@
| Title | DN_0007_3_windows_sysmon_network_connection |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | TCP/UDP connections made by a process |
| **Logging Policy** | <ul><li>[LP0005_windows_sysmon_network_connection](../Logging_Policies/LP0005_windows_sysmon_network_connection.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>User</li><li>Protocol</li><li>Initiated</li><li>SourceIsIpv6</li><li>SourceIp</li><li>SourceHostname</li><li>SourcePort</li><li>SourcePortName</li><li>DestinationIsIpv6</li><li>DestinationIp</li><li>DestinationHostname</li><li>DestinationPort</li><li>DestinationPortName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:29.384924000Z" />
<EventRecordID>16000</EventRecordID>
<Correlation />
<Execution ProcessID="1828" ThreadID="2764" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>ATC-WIN-7.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:17.411</Data>
<Data Name="ProcessGuid">{A96EFBF1-A8C9-5C59-0000-0010D274D300}</Data>
<Data Name="ProcessId">3900</Data>
<Data Name="Image">C:\Users\user1\Desktop\SysinternalsSuite\PsExec.exe</Data>
<Data Name="User">ATC-WIN-7\user1</Data>
<Data Name="Protocol">tcp</Data>
<Data Name="Initiated">true</Data>
<Data Name="SourceIsIpv6">false</Data>
<Data Name="SourceIp">10.0.0.111</Data>
<Data Name="SourceHostname">ATC-WIN-7.atc.local</Data>
<Data Name="SourcePort">49603</Data>
<Data Name="SourcePortName" />
<Data Name="DestinationIsIpv6">false</Data>
<Data Name="DestinationIp">10.0.0.103</Data>
<Data Name="DestinationHostname">ATC-WIN-10</Data>
<Data Name="DestinationPort">135</Data>
<Data Name="DestinationPortName">epmap</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,48 @@
| Title | DN_0008_4_windows_sysmon_sysmon_service_state_changed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Sysmon service changed status |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90004)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-4.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>State</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T13:11:20.289486200Z" />
<EventRecordID>45818</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2019-02-05 13:11:20.281</Data>
<Data Name="State">Started</Data>
<Data Name="Version">8.00</Data>
<Data Name="SchemaVersion">4.10</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,49 @@
| Title | DN_0009_5_windows_sysmon_process_terminated |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Process has been terminated |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90005)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>5</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:16:38.833314100Z" />
<EventRecordID>57994</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="4192" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-02-05 15:16:38.821</Data>
<Data Name="ProcessGuid">{9683FBB1-A8D6-5C59-0000-001009797000}</Data>
<Data Name="ProcessId">2440</Data>
<Data Name="Image">C:\Windows\PSEXESVC.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,51 @@
| Title | DN_0010_6_windows_sysmon_driver_loaded |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The driver loaded events provides information about a driver being loaded on the system. The configured hashes are provided as well as signature information |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90006)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-6.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ImageLoaded</li><li>Hashes</li><li>Sha256hash</li><li>Md5hash</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>6</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-12-09T21:41:44.778524700Z" />
<EventRecordID>4565</EventRecordID>
<Correlation />
<Execution ProcessID="2996" ThreadID="3992" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2018-12-09 21:41:41.091</Data>
<Data Name="ImageLoaded">C:\Windows\System32\drivers\PROCEXP152.SYS</Data>
<Data Name="Hashes">MD5=8213C5972C91A56BE78CD02A4DE4E3FC,SHA256=95D07C3B8DF26790AC43BB4259F65D1E90B03EA31D66F1B3961D85E21C5FF590</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Sysinternals</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,59 @@
| Title | DN_0011_7_windows_sysmon_image_loaded |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The image loaded event logs when a module is loaded in a specific process |
| **Logging Policy** | <ul><li>[LP0006_windows_sysmon_image_loaded](../Logging_Policies/LP0006_windows_sysmon_image_loaded.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>ImageLoaded</li><li>FileVersion</li><li>Description</li><li>Product</li><li>Company</li><li>OriginalFileName</li><li>Hashes</li><li>Signed</li><li>Signature</li><li>SignatureStatus</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-07-09T04:15:07.860831900Z" />
<EventRecordID>9146</EventRecordID>
<Correlation />
<Execution ProcessID="1540" ThreadID="3456" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-07-09 04:13:59.602</Data>
<Data Name="ProcessGuid">{717CFEC0-1487-5D24-0000-00103F202900}</Data>
<Data Name="ProcessId">2352</Data>
<Data Name="Image">C:\Windows\System32\sihost.exe</Data>
<Data Name="ImageLoaded">C:\Windows\System32\msvcrt.dll</Data>
<Data Name="FileVersion">7.0.14393.0 (rs1_release.160715-1616)</Data>
<Data Name="Description">Windows NT CRT DLL</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">msvcrt.dll</Data>
<Data Name="Hashes">MD5=94EF9321C287FC1B179419E662996A41,SHA256=555B434EC9E8628820905A8F1D7BC7F8EE99C6D44A01892ADD16E39E6B675A0D</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,55 @@
| Title | DN_0012_8_windows_sysmon_CreateRemoteThread |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The CreateRemoteThread event detects when a process creates a thread in another process |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-8.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>SourceProcessGuid</li><li>SourceProcessId</li><li>SourceImage</li><li>TargetProcessGuid</li><li>TargetProcessId</li><li>TargetImage</li><li>NewThreadId</li><li>StartAddress</li><li>StartModule</li><li>StartFunction</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T22:53:43.214864300Z" />
<EventRecordID>739823</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2017-05-13 22:53:43.214</Data>
<Data Name="SourceProcessGuid">{A23EAE89-8E6D-5917-0000-0010DFAF5004}</Data>
<Data Name="SourceProcessId">8804</Data>
<Data Name="SourceImage">C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe</Data>
<Data Name="TargetProcessGuid">{A23EAE89-8E5A-5917-0000-00100E3E4D04}</Data>
<Data Name="TargetProcessId">2024</Data>
<Data Name="TargetImage">C:\repos\Supercharger\Mtg.Supercharger.ControllerService\bin\x64\Debug\Mtg.Supercharger.ControllerService.exe</Data>
<Data Name="NewThreadId">20532</Data>
<Data Name="StartAddress">0x00007FFB09321970</Data>
<Data Name="StartModule">C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data Name="StartFunction">DbgUiRemoteBreakin</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,49 @@
| Title | DN_0013_9_windows_sysmon_RawAccessRead |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90009)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-9.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>Device</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>9</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-03-22T20:32:22.333778700Z" />
<EventRecordID>1944686</EventRecordID>
<Correlation />
<Execution ProcessID="19572" ThreadID="21888" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="UtcTime">2018-03-22 20:32:22.332</Data>
<Data Name="ProcessGuid">{A23EAE89-C65F-5AB2-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="Device">\Device\HarddiskVolume2</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,55 @@
| Title | DN_0014_10_windows_sysmon_ProcessAccess |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process |
| **Logging Policy** | <ul><li>[LP0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>SourceProcessGUID</li><li>SourceProcessId</li><li>SourceThreadId</li><li>SourceImage</li><li>TargetProcessGUID</li><li>TargetProcessId</li><li>TargetImage</li><li>GrantedAccess</li><li>CallTrace</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T14:28:35.216091900Z" />
<EventRecordID>42444</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 14:28:35.212</Data>
<Data Name="SourceProcessGUID">{9683FBB1-B470-5C51-0000-0010521EBB00}</Data>
<Data Name="SourceProcessId">6916</Data>
<Data Name="SourceThreadId">8080</Data>
<Data Name="SourceImage">C:\Users\user1\Desktop\mimi\x64\mimikatz.exe</Data>
<Data Name="TargetProcessGUID">{9683FBB1-9A52-5C51-0000-0010C3610000}</Data>
<Data Name="TargetProcessId">672</Data>
<Data Name="TargetImage">C:\windows\system32\lsass.exe</Data>
<Data Name="GrantedAccess">0x1010</Data>
<Data Name="CallTrace">C:\windows\SYSTEM32\ntdll.dll+9a3c4|C:\windows\System32\KERNELBASE.dll+2fd5d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a906|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7ac75|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+7a82d|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d28c|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4d0c4|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+4cea1|C:\Users\user1\Desktop\mimi\x64\mimikatz.exe+80675|C:\windows\System32\KERNEL32.DLL+13034|C:\windows\SYSTEM32\ntdll.dll+71471</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,51 @@
| Title | DN_0015_11_windows_sysmon_FileCreate |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection |
| **Logging Policy** | <ul><li>[LP0008_windows_sysmon_FileCreate](../Logging_Policies/LP0008_windows_sysmon_FileCreate.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T15:08:51.296611700Z" />
<EventRecordID>42528</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-30 15:08:51.287</Data>
<Data Name="ProcessGuid">{9683FBB1-9A3F-5C51-0000-0010EB030000}</Data>
<Data Name="ProcessId">4</Data>
<Data Name="Image">System</Data>
<Data Name="TargetFilename">C:\Windows\PSEXESVC.exe</Data>
<Data Name="CreationUtcTime">2019-01-30 15:08:51.287</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,51 @@
| Title | DN_0016_12_windows_sysmon_RegistryEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90012)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-12.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>12</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>12</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:05:28.027841800Z" />
<EventRecordID>42938</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">DeleteKey</Data>
<Data Name="UtcTime">2019-01-30 17:05:28.023</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Key #1</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0017_13_windows_sysmon_RegistryEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90013)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-13.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>Details</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T17:06:11.698273500Z" />
<EventRecordID>42943</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2019-01-30 17:06:11.673</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\New Value #1</Data>
<Data Name="Details">C:\Program Files\Sublime Text 3\sublime_text.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0018_14_windows_sysmon_RegistryEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90014)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-14.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetObject</li><li>NewName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>14</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>14</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-30T18:16:38.889738400Z" />
<EventRecordID>43065</EventRecordID>
<Correlation />
<Execution ProcessID="3892" ThreadID="5724" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">RenameKey</Data>
<Data Name="UtcTime">2019-01-30 18:16:38.886</Data>
<Data Name="ProcessGuid">{9683FBB1-D812-5C51-0000-0010F3871201}</Data>
<Data Name="ProcessId">10396</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #1</Data>
<Data Name="NewName">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New Key #2</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0019_15_windows_sysmon_FileCreateStreamHash |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-15.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>Image</li><li>TargetFilename</li><li>CreationUtcTime</li><li>Hash</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-01-21T12:43:53.385072700Z" />
<EventRecordID>34115</EventRecordID>
<Correlation />
<Execution ProcessID="2052" ThreadID="4092" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-01-21 12:43:53.368</Data>
<Data Name="ProcessGuid">{9683FBB1-A860-5C45-0000-0010274F1400}</Data>
<Data Name="ProcessId">6604</Data>
<Data Name="Image">C:\windows\Explorer.EXE</Data>
<Data Name="TargetFilename">C:\Users\user1\Downloads\wce_v1_42beta_x64\wce.exe</Data>
<Data Name="CreationUtcTime">2013-11-11 22:41:40.000</Data>
<Data Name="Hash">MD5=CCF1D1573F175299ADE01C07791A6541,SHA256=68A15A34C2E28B9B521A240B948634617D72AD619E3950BC6DC769E60A0C3CF2</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,51 @@
| Title | DN_0020_17_windows_sysmon_PipeEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication |
| **Logging Policy** | <ul><li>[LP0009_windows_sysmon_PipeEvent](../Logging_Policies/LP0009_windows_sysmon_PipeEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>17</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>17</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-07-09T04:21:40.086214400Z" />
<EventRecordID>14921</EventRecordID>
<Correlation />
<Execution ProcessID="1540" ThreadID="3456" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">CreatePipe</Data>
<Data Name="UtcTime">2019-07-09 04:21:39.850</Data>
<Data Name="ProcessGuid">{717CFEC0-1651-5D24-0000-00109AFB3E00}</Data>
<Data Name="ProcessId">5624</Data>
<Data Name="PipeName">\mojo.5624.7020.12775972776436680360</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,51 @@
| Title | DN_0021_18_windows_sysmon_PipeEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event logs when a named pipe connection is made between a client and a server |
| **Logging Policy** | <ul><li>[LP0009_windows_sysmon_PipeEvent](../Logging_Policies/LP0009_windows_sysmon_PipeEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>EventType</li><li>UtcTime</li><li>ProcessGuid</li><li>ProcessId</li><li>PipeName</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>18</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-07-09T04:22:41.815238100Z" />
<EventRecordID>15894</EventRecordID>
<Correlation />
<Execution ProcessID="1540" ThreadID="3456" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">ConnectPipe</Data>
<Data Name="UtcTime">2019-07-09 04:22:41.814</Data>
<Data Name="ProcessGuid">{717CFEC0-1691-5D24-0000-0010663D4100}</Data>
<Data Name="ProcessId">6376</Data>
<Data Name="PipeName">\crashpad_5624_JOJRKPKWKSIWYAIJ</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0022_19_windows_sysmon_WmiEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression |
| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>EventNamespace</li><li>Name</li><li>Query</li><li>RuleName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>19</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>19</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.434534600Z" />
<EventRecordID>46712</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiFilterEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.432</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="EventNamespace">"root\\CimV2"</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Query">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0023_20_windows_sysmon_WmiEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event logs the registration of WMI consumers, recording the consumer name, log, and destination |
| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>Name</li><li>Type</li><li>Destination</li><li>RuleName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>20</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>20</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:42.518512400Z" />
<EventRecordID>46713</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiConsumerEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:42.510</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Name">"AtomicRedTeam-WMIPersistence-Example"</Data>
<Data Name="Type">Command Line</Data>
<Data Name="Destination">"C:\\windows\\System32\\notepad.exe"</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,51 @@
| Title | DN_0024_21_windows_sysmon_WmiEvent |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | When a consumer binds to a filter, this event logs the consumer name and filter path |
| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>EventType</li><li>Operation</li><li>User</li><li>Consumer</li><li>RuleName</li><li>Filter</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T14:44:47.091658300Z" />
<EventRecordID>46714</EventRecordID>
<Correlation />
<Execution ProcessID="3172" ThreadID="444" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2019-02-05 14:44:47.087</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">atc-win-10\user1</Data>
<Data Name="Consumer">"\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
<Data Name="Filter">"\\\\.\\ROOT\\subscription:__EventFilter.Name=\"AtomicRedTeam-WMIPersistence-Example\""</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,59 @@
| Title | DN_0026_5136_windows_directory_service_object_was_modified |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A directory service object was modified |
| **Logging Policy** | <ul><li>[LP0025_windows_audit_directory_service_changes](../Logging_Policies/LP0025_windows_audit_directory_service_changes.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>OpCorrelationID</li><li>AppCorrelationID</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>DSName</li><li>DSType</li><li>ObjectDN</li><li>ObjectGUID</li><li>ObjectClass</li><li>AttributeLDAPDisplayName</li><li>AttributeSyntaxOID</li><li>AttributeValue</li><li>OperationType</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,70 @@
| Title | DN_0027_4738_user_account_was_changed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | User object is changed |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>TargetUserName</li><li>Hostname</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>DisplayName</li><li>UserPrincipalName</li><li>HomeDirectory</li><li>HomePath</li><li>ScriptPath</li><li>ProfilePath</li><li>UserWorkstations</li><li>PasswordLastSet</li><li>AccountExpires</li><li>PrimaryGroupId</li><li>AllowedToDelegateTo</li><li>OldUacValue</li><li>NewUacValue</li><li>UserAccountControl</li><li>UserParameters</li><li>SidHistory</li><li>LogonHours</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,50 @@
| Title | DN_0028_4794_directory_services_restore_mode_admin_password_set |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Directory Services Restore Mode (DSRM) administrator password is changed |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>Workstation</li><li>Status</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,60 @@
| Title | DN_0029_4661_handle_to_an_object_was_requested |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A handle was requested for either an Active Directory object or a Security Account Manager (SAM) object |
| **Logging Policy** | <ul><li>[LP0027_windows_audit_directory_service_access](../Logging_Policies/LP0027_windows_audit_directory_service_access.md)</li><li>[LP0028_windows_audit_sam](../Logging_Policies/LP0028_windows_audit_sam.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>TransactionId</li><li>AccessList</li><li>AccessMask</li><li>PrivilegeList</li><li>Properties</li><li>RestrictedSidCount</li><li>ProcessId</li><li>ProcessName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,58 @@
| Title | DN_0030_4662_operation_was_performed_on_an_object |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An operation was performed on an Active Directory object |
| **Logging Policy** | <ul><li>[LP0027_windows_audit_directory_service_access](../Logging_Policies/LP0027_windows_audit_directory_service_access.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>OperationType</li><li>HandleId</li><li>AccessList</li><li>AccessMask</li><li>Properties</li><li>AdditionalInfo</li><li>AdditionalInfo2</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
```

View File

@ -0,0 +1,47 @@
| Title | DN_0031_7036_service_started_stopped |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Service entered the running/stopped state |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm](http://www.eventid.net/display-eventid-7036-source-Service%20Control%20Manager-eventno-1529-phase-1.htm)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | Service Control Manager |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>param1</li><li>param2</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
- <System>
<Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/>
<EventID Qualifiers='16384'>7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime='2019-01-12T16:00:11.920020600Z'/>
<EventRecordID>41452</EventRecordID>
<Correlation/>
<Execution ProcessID='692' ThreadID='828'/>
<Channel>System</Channel>
<Computer>EC2AMAZ-D6OFVS8</Computer>
<Security/>
</System>
- <EventData>
<Data Name='param1'>Device Install Service</Data>
<Data Name='param2'>running</Data>
<Binary>44006500760069006300650049006E007300740061006C006C002F0034000000</Binary>
</EventData>
</Event>
```

View File

@ -0,0 +1,57 @@
| Title | DN_0032_5145_network_share_object_was_accessed_detailed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName |
| **Logging Policy** | <ul><li>[LP0029_windows_audit_detailed_file_share](../Logging_Policies/LP0029_windows_audit_detailed_file_share.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>RelativeTargetName</li><li>AccessMask</li><li>AccessList</li><li>AccessReason</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD)</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,55 @@
| Title | DN_0033_5140_network_share_object_was_accessed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Network share object (file or folder) was accessed |
| **Logging Policy** | <ul><li>[LP0030_windows_audit_file_share](../Logging_Policies/LP0030_windows_audit_file_share.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectType</li><li>IpAddress</li><li>IpPort</li><li>ShareName</li><li>ShareLocalPath</li><li>AccessMask</li><li>AccessList</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,50 @@
| Title | DN_0034_104_log_file_was_cleared |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows log file was cleared |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp](http://kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | Microsoft-Windows-Eventlog |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>Channel</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>104</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-08T22:31:47.796843000Z" />
<EventRecordID>7659</EventRecordID>
<Correlation />
<Execution ProcessID="752" ThreadID="1988" />
<Channel>System</Channel>
<Computer>ATC-WIN-7.atc.local</Computer>
<Security UserID="S-1-5-21-3463664321-2923530833-3546627382-1000" />
</System>
- <UserData>
- <LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserName>user1</SubjectUserName>
<SubjectDomainName>ATC-WIN-7.atc.local</SubjectDomainName>
<Channel>Application</Channel>
<BackupPath />
</LogFileCleared>
</UserData>
</Event>
```

View File

@ -0,0 +1,46 @@
| Title | DN_0035_106_task_scheduler_task_registered |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | General Windows Task Registration |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774938(v=ws.10))</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-TaskScheduler/Operational |
| **Provider** | Microsoft-Windows-TaskScheduler |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TaskName</li><li>UserContext</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-TaskScheduler" Guid="{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}" />
<EventID>106</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>106</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-08T22:54:14.628673400Z" />
<EventRecordID>5</EventRecordID>
<Correlation />
<Execution ProcessID="908" ThreadID="2440" />
<Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData Name="TaskRegisteredEvent">
<Data Name="TaskName">\atctest</Data>
<Data Name="UserContext">atc-win-10.atc.local\user1</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,49 @@
| Title | DN_0036_4104_windows_powershell_script_block |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event records script |
| **Logging Policy** | <ul><li>[LP0109_windows_powershell_script_block_logging](../Logging_Policies/LP0109_windows_powershell_script_block_logging.md)</li></ul> |
| **References** | <ul><li>[https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-PowerShell/Operational |
| **Provider** | Microsoft-Windows-PowerShell |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>MessageNumber</li><li>MessageTotal</li><li>ScriptBlockText</li><li>ScriptBlockId</li><li>Path</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2019-02-05T15:05:16.554318000Z" />
<EventRecordID>75823</EventRecordID>
<Correlation ActivityID="{3655DBA0-BD54-0000-AE51-563654BDD401}" />
<Execution ProcessID="2588" ThreadID="4328" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-21-540864798-2899685673-3651185163-500" />
</System>
- <EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}; $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";} $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs $FilterToConsumerArgs = @{ Filter = [Ref] $Filter; Consumer = [Ref] $Consumer; } $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs</Data>
<Data Name="ScriptBlockId">414c1110-3b57-40bf-9502-e45053cce9dd</Data>
<Data Name="Path" />
</EventData>
</Event>
```

View File

@ -0,0 +1,47 @@
| Title | DN_0037_4103_windows_powershell_executing_pipeline |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event records pipeline execution, including variable initialization and command command invocations. |
| **Logging Policy** | <ul><li>[LP0108_windows_powershell_module_logging](../Logging_Policies/LP0108_windows_powershell_module_logging.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-PowerShell/Operational |
| **Provider** | Microsoft-Windows-PowerShell |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>ContextInfo</li><li>UserData</li><li>Payload</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{A0C1853B-5C40-4B15-8766-3CF1C58F985A}" />
<EventID>4103</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>106</Task>
<Opcode>20</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2019-02-05T15:05:16.564146000Z" />
<EventRecordID>75824</EventRecordID>
<Correlation ActivityID="{3655DBA0-BD54-0000-AF51-563654BDD401}" />
<Execution ProcessID="2588" ThreadID="4328" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-21-540864798-2899685673-3651185163-500" />
</System>
- <EventData>
<Data Name="ContextInfo">Severity = Informational Host Name = ConsoleHost Host Version = 5.1.17134.407 Host ID = 3ff2018b-ab29-4049-a62d-851e5ca931ed Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Engine Version = 5.1.17134.407 Runspace ID = 52c750e1-1c34-4244-a6eb-feadfd70a959 Pipeline ID = 90 Command Name = New-CimInstance Command Type = Cmdlet Script Name = Command Path = Sequence Number = 329 User = atc-win-10\user1 Connected User = Shell ID = Microsoft.PowerShell</Data>
<Data Name="UserData" />
<Data Name="Payload">CommandInvocation(New-CimInstance): "New-CimInstance" ParameterBinding(New-CimInstance): name="Namespace"; value="root/subscription" ParameterBinding(New-CimInstance): name="ClassName"; value="__EventFilter" ParameterBinding(New-CimInstance): name="Property"; value="System.Collections.Hashtable"</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,42 @@
| Title | DN_0038_400_engine_state_is_changed_from_none_to_available |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Information about PowerShell engine state. Engine state is changed from None to Available |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-400.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-400.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Windows PowerShell |
| **Provider** | PowerShell |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">400</EventID>
<Level>4</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-02-05T15:13:04.885878700Z" />
<EventRecordID>50575</EventRecordID>
<Channel>Windows PowerShell</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data>Available</Data>
<Data>None</Data>
<Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=Windows PowerShell ISE Host HostVersion=5.1.17134.407 HostId=9478b487-c2ea-4aa8-8eb3-9b7bad25b39f HostApplication=C:\windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe EngineVersion=5.1.17134.407 RunspaceId=9f89fa00-ca26-402e-9dea-29c6d2447f7b PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,43 @@
| Title | DN_0039_524_system_catalog_has_been_deleted |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The System Catalog has been deleted |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[http://kb.eventtracker.com/evtpass/evtpages/EventId_524_Microsoft-Windows-Backup_61998.asp](http://kb.eventtracker.com/evtpass/evtpages/EventId_524_Microsoft-Windows-Backup_61998.asp)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Application |
| **Provider** | Microsoft-Windows-Backup |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Backup" Guid="{1DB28F2E-8F80-4027-8C5A-A11F7F10F62D}" />
<EventID>524</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-07-16T22:38:38.762505900Z" />
<EventRecordID>457</EventRecordID>
<Correlation />
<Execution ProcessID="3476" ThreadID="1732" />
<Channel>Application</Channel>
<Computer>atc-win-2k12.atc.lab</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData />
</Event>
```

View File

@ -0,0 +1,40 @@
| Title | DN_0040_528_user_successfully_logged_on_to_a_computer |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | User successfully logged on to a computer |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>UserName</li><li>Domain</li><li>LogonID</li><li>LogonType</li><li>LogonProcess</li><li>AuthenticationPackage</li><li>WorkstationName</li><li>LogonGUID</li><li>CallerUserName</li><li>CallerDomain</li><li>CallerLogonID</li><li>CallerProcessID</li><li>TransitedServices</li><li>SourceNetworkAddress</li><li>SourcePort</li></ul> |
## Log Samples
### Raw Log
```
2019-07-15 21:44:17 ATC AUDIT_SUCCESS 528 ATC\Administrator Successful Logon:
User Name: Administrator
Domain: ATC
Logon ID: (0x0,0x5A53F)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ATC
Logon GUID: -
Caller User Name: ATC$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 380
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 0
```

View File

@ -0,0 +1,39 @@
| Title | DN_0041_529_logon_failure |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Logon Failure - Unknown user name or bad password |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>Reason</li><li>UserName</li><li>Domain</li><li>LogonType</li><li>LogonProcess</li><li>AuthenticationPackage</li><li>WorkstationName</li><li>CallerUserName</li><li>CallerDomain</li><li>CallerLogonID</li><li>CallerProcessID</li><li>TransitedServices</li><li>SourceNetworkAddress</li><li>SourcePort</li></ul> |
## Log Samples
### Raw Log
```
2019-07-15 22:00:20 ATC AUDIT_FAILURE 529 NT AUTHORITY\SYSTEM Logon Failure:
Reason: Unknown user name or bad password
User Name: asdfasd
Domain: ATC
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: ATC
Caller User Name: ATC$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3064
Transited Services: -
Source Network Address: 192.168.88.198
Source Port: 52013
```

View File

@ -0,0 +1,31 @@
| Title | DN_0042_675_kerberos_preauthentication_failed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Kerberos pre-authentication failed |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>UserName</li><li>UserID</li><li>UserSid</li><li>ServiceName</li><li>PreAuthenticationType</li><li>FailureCode</li><li>ClientAddress</li></ul> |
## Log Samples
### Raw Log
```
2019-07-18 00:56:03 ATC AUDIT_FAILURE 675 NT AUTHORITY\SYSTEM Pre-authentication failed:
User Name: Administrator
User ID: %{S-1-5-21-3160476663-3818360063-188177334-500}
Service Name: krbtgt/DC
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
```

View File

@ -0,0 +1,46 @@
| Title | DN_0043_770_dns_server_plugin_dll_has_been_loaded |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows DNS server plug-in DLL has been loaded |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html](https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | DNS Server |
| **Provider** | Microsoft-Windows-DNS-Server-Service |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>Computer</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" />
<EventID>770</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000008000</Keywords>
<TimeCreated SystemTime="2017-05-09T08:54:26.798142300Z" />
<EventRecordID>264</EventRecordID>
<Correlation />
<Execution ProcessID="2312" ThreadID="3068" />
<Channel>DNS Server</Channel>
<Computer>dc1.lab.internal</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData Name="DNS_EVENT_PLUGIN_DLL_LOAD_OK">
<Data Name="param1">\\192.168.0.149\dll\wtf.dll</Data>
<Data Name="param2">dc1.lab.internal</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,55 @@
| Title | DN_0044_1000_application_crashed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This is a very generic error and it doesn't tell much about what caused it. Some applications may fail with this error when the system is left unstable by another faulty program. |
| **Logging Policy** | <ul><li>[none](../Logging_Policies/none.md)</li></ul> |
| **References** | <ul><li>[https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html](https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Application |
| **Provider** | Application Error |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>FaultingApplicationName</li><li>FaultingModuleName</li><li>ExceptionCode</li><li>FaultOffset</li><li>FaultingProcessId</li><li>FaultingApplicationStartTime</li><li>FaultingApplicationPath</li><li>FaultingModulePath</li><li>ReportId</li><li>FaultingPackageFullName</li><li>FaultingPackage-relativeApplicationID</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-01T15:49:38.973342200Z" />
<EventRecordID>6724</EventRecordID>
<Channel>Application</Channel>
<Computer>WD0000.eu.windows.com</Computer>
<Security />
</System>
- <EventData>
<Data>IntelAudioService.exe</Data>
<Data>1.0.46.0</Data>
<Data>59afa72c</Data>
<Data>KERNELBASE.dll</Data>
<Data>10.0.17134.441</Data>
<Data>428de48c</Data>
<Data>e06d7363</Data>
<Data>000000000003a388</Data>
<Data>1240</Data>
<Data>01d49e823bbf0b3b</Data>
<Data>C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe</Data>
<Data>C:\WINDOWS\System32\KERNELBASE.dll</Data>
<Data>6220b181-a7a0-4c44-9046-d8ce090d3a86</Data>
<Data />
<Data />
</EventData>
</Event>
```

View File

@ -0,0 +1,62 @@
| Title | DN_0045_1001_windows_error_reporting |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | When application fails, the result is recorded as an informational event in the Application log by Windows Error Reporting as event 1001. |
| **Logging Policy** | <ul><li>[none](../Logging_Policies/none.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11))</li><li>[https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1](https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Application |
| **Provider** | Windows Error Reporting |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>EventName</li><li>Response</li><li>CabId</li><li>ProblemSignature</li><li>AttachedFiles</li><li>Thesefilesmaybeavailablehere</li><li>AnalysisSymbol</li><li>RecheckingForSolution</li><li>ReportId</li><li>ReportStatus</li><li>HashedBucket</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-08T14:01:18.909425000Z" />
<EventRecordID>11279</EventRecordID>
<Channel>Application</Channel>
<Computer>WD00000.eu.windows.com</Computer>
<Security />
</System>
- <EventData>
<Data>2005798148961969216</Data>
<Data>5</Data>
<Data>StoreAgentScanForUpdatesFailure0</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>Update;</Data>
<Data>8024402c</Data>
<Data>16299</Data>
<Data>847</Data>
<Data>Windows.Desktop</Data>
<Data />
<Data />
<Data />
<Data />
<Data />
<Data>\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER81F.tmp.WERInternalMetadata.xml</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_ba86f388d190af6963dbd95b33715448fcb6fd5_00000000_27442451</Data>
<Data />
<Data>0</Data>
<Data>0885fc8a-5383-4c50-b209-7c570832b8bf</Data>
<Data>268435556</Data>
<Data>e7b725b96c0bab97abd606ca1003a440</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,45 @@
| Title | DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The installed server callout .dll file has caused an exception |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | Microsoft-Windows-DHCP-Server |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
<EventID Qualifiers="0">1031</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-07-11T15:48:53.000000000Z" />
<EventRecordID>551</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>atc-win-2k12</Computer>
<Security />
</System>
- <EventData>
<Data>%Exception details%</Data>
<Binary>7E000000</Binary>
</EventData>
</Event>
```

View File

@ -0,0 +1,45 @@
| Title | DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The installed server callout .dll file has caused an exception |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | Microsoft-Windows-DHCP-Server |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
<EventID Qualifiers="0">1032</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-07-11T15:48:53.000000000Z" />
<EventRecordID>551</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>atc-win-2k12</Computer>
<Security />
</System>
- <EventData>
<Data>%Exception details%</Data>
<Binary>7E000000</Binary>
</EventData>
</Event>
```

View File

@ -0,0 +1,46 @@
| Title | DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The DHCP service has successfully loaded one or more callout DLLs |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726937(v%3dws.10))</li><li>[https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html](https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | System |
| **Provider** | Microsoft-Windows-DHCP-Server |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
<EventID Qualifiers="0">1033</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-05-10T16:46:59.000000000Z" />
EventRecordID>6653</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>dc1.lab.internal</Computer>
<Security />
</System>
- <EventData>
<Data>Der Vorgang wurde erfolgreich beendet.</Data>
<Binary>00000000</Binary>
</EventData>
</Event>
```

View File

@ -0,0 +1,45 @@
| Title | DN_0049_1034_dhcp_service_failed_to_load_callout_dlls |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The DHCP service has failed to load one or more callout DLLs |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774858(v=ws.10)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774858(v=ws.10))</li><li>[https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html](https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | Microsoft-Windows-DHCP-Server |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />
<EventID Qualifiers="0">1034</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-07-11T15:48:53.000000000Z" />
<EventRecordID>551</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>atc-win-2k12</Computer>
<Security />
</System>
- <EventData>
<Data>The specified module could not be found.</Data>
<Binary>7E000000</Binary>
</EventData>
</Event>
```

View File

@ -0,0 +1,50 @@
| Title | DN_0050_1102_audit_log_was_cleared |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Event 1102 is created whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Eventlog |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" />
<EventRecordID>1087729</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="2644" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid>
<SubjectUserName>dadmin</SubjectUserName>
<SubjectDomainName>CONTOSO</SubjectDomainName>
<SubjectLogonId>0x55cd1d</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>
```

View File

@ -0,0 +1,55 @@
| Title | DN_0051_1121_attack_surface_reduction_blocking_mode_event |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Event generated when an attack surface reduction rule fires in block mode |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **Mitigation Policy** |<ul><li>[MP_0001_windows_asr_block_credential_stealing_from_lsass](../Mitigation_Policies/MP_0001_windows_asr_block_credential_stealing_from_lsass.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/d0a832b119a518a2c6b5f19ffd9dc44f0328c9a6/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/d0a832b119a518a2c6b5f19ffd9dc44f0328c9a6/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Windows Defender/Operational |
| **Provider** | Microsoft-Windows-Windows Defender |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>ProductName</li><li>ProductVersion</li><li>Unused</li><li>RuleID</li><li>ASR_RuleID</li><li>DetectionTime</li><li>User</li><li>Path</li><li>ProcessName</li><li>SecurityintelligenceVersion</li><li>EngineVersion</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>1121</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-07-29T12:13:55.890328700Z" />
<EventRecordID>66</EventRecordID>
<Correlation />
<Execution ProcessID="2896" ThreadID="6928" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>ATC-WIN-10</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">4.18.1907.4</Data>
<Data Name="Unused" />
<Data Name="ID">9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2</Data>
<Data Name="Detection Time">2019-07-29T12:13:55.890Z</Data>
<Data Name="User">ATC-WIN-10\yugoslavskiy</Data>
<Data Name="Path">C:\Windows\System32\lsass.exe</Data>
<Data Name="Process Name">C:\Program Files (x86)\GUM7534.tmp\GoogleUpdate.exe</Data>
<Data Name="Security intelligence Version">1.299.756.0</Data>
<Data Name="Engine Version">1.1.16200.1</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,46 @@
| Title | DN_0052_2003_query_to_load_usb_drivers |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Host Process has been asked to load drivers for USB device |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-DriverFrameworks-UserMode/Operational |
| **Provider** | Microsoft-Windows-DriverFrameworks-UserMode |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>UMDFHostDeviceArrivalBegin</li><li>lifetime</li><li>instance</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}" />
<EventID>2003</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>33</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-07-22T21:01:03.421562800Z" />
<EventRecordID>65</EventRecordID>
<Correlation />
<Execution ProcessID="5420" ThreadID="4108" />
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
<Computer>ALPHA</Computer>
<Security UserID="S-1-5-19" />
</System>
- <UserData>
- <UMDFHostDeviceArrivalBegin instance="SWD\WPDBUSENUM\_??_USBSTOR#DISK&amp;VEN_LEXAR&amp;PROD_DIGITAL_FILM&amp;REV_#W1.#______________0302080000002D74AE7900000000000&amp;0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}" lifetime="{5B5CB3FD-BDA8-42E0-8DCD-50A1FD1FA199}" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
</UMDFHostDeviceArrivalBegin>
</UserData>
</Event>
```

View File

@ -0,0 +1,53 @@
| Title | DN_0053_2100_pnp_or_power_operation_for_usb_device |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Received a Pnp or Power operation for USB device |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-DriverFrameworks-UserMode/Operational |
| **Provider** | Microsoft-Windows-DriverFrameworks-UserMode |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>UMDFHostDeviceRequest</li><li>lifetime</li><li>instance</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}" />
<EventID>2100</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>37</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-07-08T19:59:02.925841500Z" />
<EventRecordID>240</EventRecordID>
<Correlation />
<Execution ProcessID="2012" ThreadID="2496" />
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
<Computer>DavidClient</Computer>
<Security UserID="S-1-5-19" />
</System>
- <UserData>
- <UMDFHostDeviceRequest instance="SWD\WPDBUSENUM\{72D37FD9-05B1-11E6-8253-001A7DDA7113}#0000000000007E00" lifetime="{9A4B17EA-9EC2-4A46-BE0B-480915F9A030}" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
- <Request major="22" minor="2">
<Argument>0x51100</Argument>
<Argument>0x200000001</Argument>
<Argument>0x0</Argument>
<Argument>0x0</Argument>
</Request>
<Status>3221225659</Status>
</UMDFHostDeviceRequest>
</UserData>
</Event>
```

View File

@ -0,0 +1,53 @@
| Title | DN_0054_2102_pnp_or_power_operation_for_usb_device |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Finished PnP or Power operation for USB device |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/](https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-DriverFrameworks-UserMode/Operational |
| **Provider** | Microsoft-Windows-DriverFrameworks-UserMode |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>UMDFHostDeviceRequest</li><li>lifetime</li><li>instance</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" />
<EventID>2102</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>37</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2010-08-26T17:53:04.155Z" />
<EventRecordID>201772</EventRecordID>
<Correlation />
<Execution ProcessID="3176" ThreadID="3236" />
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
<Computer>Sal</Computer>
<Security UserID="S-1-5-19" />
</System>
- <UserData>
- <UMDFHostDeviceRequest lifetime="{0A5BFD5B-1FC3-4985-9A2B-955F2D65E42F}" instance="WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#" xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
- <Request major="22" minor="3">
<Argument>0x0</Argument>
<Argument>0x6</Argument>
<Argument>0x6</Argument>
<Argument>0x0</Argument>
</Request>
<Status>3221225659</Status>
</UMDFHostDeviceRequest>
</UserData>
</Event>
```

View File

@ -0,0 +1,24 @@
| Title | DN_0054_linux_auditd_execve |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux auditd log of process (binary) execution (execeve syscall) with command line arguments |
| **Logging Policy** | <ul><li>[LP0031_linux_auditd_execve](../Logging_Policies/LP0031_linux_auditd_execve.md)</li></ul> |
| **References** | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li></ul> |
| **Platform** | Linux |
| **Type** | EXECVE |
| **Channel** | auditd |
| **Provider** | auditd |
| **Fields** | <ul><li>type</li><li>msg</li><li>argc</li><li>a0</li><li>a1</li><li>a2</li><li>a3</li></ul> |
## Log Samples
### Raw Log
```
type=EXECVE msg=audit(1564425065.452:651): argc=3 a0="ls" a1="-l" a2="/var/lib/pgsql"
```

View File

@ -0,0 +1,25 @@
| Title | DN_0055_linux_auditd_read_access_to_file |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux auditd log of read access to file |
| **Logging Policy** | <ul><li>[LP0034_linux_auditd_read_access_to_file](../Logging_Policies/LP0034_linux_auditd_read_access_to_file.md)</li></ul> |
| **References** | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li></ul> |
| **Platform** | Linux |
| **Type** | PATH |
| **Channel** | auditd |
| **Provider** | auditd |
| **Fields** | <ul><li>type</li><li>msg</li><li>item</li><li>name</li><li>inode</li><li>dev</li><li>mode</li><li>ouid</li><li>ogid</li><li>rdev</li><li>obj</li><li>objtype</li><li>cap_fp</li><li>cap_fi</li><li>cap_fe</li><li>cap_fver</li></ul> |
## Log Samples
### Raw Log
```
type=PATH msg=audit(1564423065.282:742): item=0 name="/etc/passwd" inode=24673227 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
```

View File

@ -0,0 +1,25 @@
| Title | DN_0056_linux_auditd_syscall |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux auditd log of specific system call (syscall) |
| **Logging Policy** | <ul><li>[LP0033_linux_auditd_syscall](../Logging_Policies/LP0033_linux_auditd_syscall.md)</li></ul> |
| **References** | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li><li>[https://access.redhat.com/solutions/36278](https://access.redhat.com/solutions/36278)</li><li>[https://filippo.io/linux-syscall-table/](https://filippo.io/linux-syscall-table/)</li></ul> |
| **Platform** | Linux |
| **Type** | SYSCALL |
| **Channel** | auditd |
| **Provider** | auditd |
| **Fields** | <ul><li>type</li><li>msg</li><li>arch</li><li>syscall</li><li>success</li><li>exit</li><li>a0</li><li>a1</li><li>a2</li><li>a3</li><li>items</li><li>ppid</li><li>pid</li><li>auid</li><li>uid</li><li>gid</li><li>euid</li><li>suid</li><li>fsuid</li><li>egid</li><li>sgid</li><li>fsgid</li><li>tty</li><li>ses</li><li>comm</li><li>exe</li><li>subj</li><li>key</li></ul> |
## Log Samples
### Raw Log
```
type=SYSCALL msg=audit(1529507591.700:304): arch=c000003e syscall=62 success=yes exit=0 a0=829 a1=9 a2=0 a3=829 items=0 ppid=1783 pid=1784 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="kill_rule"
```

View File

@ -0,0 +1,65 @@
| Title | DN_0057_4625_account_failed_to_logon |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An account failed to log on |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>AccountName</li><li>Hostname</li><li>Computer</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetUserSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>Status</li><li>FailureReason</li><li>SubStatus</li><li>LogonType</li><li>LogonProcessName</li><li>AuthenticationPackageName</li><li>WorkstationName</li><li>TransmittedServices</li><li>LmPackageName</li><li>KeyLength</li><li>ProcessId</li><li>ProcessName</li><li>IpAddress</li><li>IpPort</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,61 @@
| Title | DN_0058_4656_handle_to_an_object_was_requested |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. If access was declined, a Failure event is generated. This event generates only if the objects SACL has the required ACE to handle the use of specific access rights |
| **Logging Policy** | <ul><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>TransactionId</li><li>AccessList</li><li>AccessReason</li><li>AccessMask</li><li>PrivilegeList</li><li>RestrictedSidCount</li><li>ProcessId</li><li>ProcessName</li><li>ResourceAttributes</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,58 @@
| Title | DN_0059_4657_registry_value_was_modified |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when a registry key value was modified. It doesn't generate when a registry key was modified. This event generates only if "Set Value" auditing is set in registry keys SACL |
| **Logging Policy** | <ul><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectName</li><li>ObjectValueName</li><li>HandleId</li><li>OperationType</li><li>OldValueType</li><li>OldValue</li><li>NewValueType</li><li>NewValue</li><li>ProcessId</li><li>ProcessName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4657</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" />
<EventRecordID>744725</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4824" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE</Data>
<Data Name="ObjectValueName">Name\_New</Data>
<Data Name="HandleId">0x54</Data>
<Data Name="OperationType">%%1905</Data>
<Data Name="OldValueType">%%1873</Data>
<Data Name="OldValue" />
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">Andrei</Data>
<Data Name="ProcessId">0xce4</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0060_4658_handle_to_an_object_was_closed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. This event generates only if Success auditing is enabled for Audit Handle Manipulation subcategory. Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance |
| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0042_windows_audit_handle_manipulation](../Logging_Policies/LP0042_windows_audit_handle_manipulation.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>HandleId</li><li>ProcessId</li><li>ProcessName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,53 @@
| Title | DN_0061_4660_object_was_deleted |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when an object was deleted. The object could be a file system, kernel, or registry object. This event generates only if "Delete" auditing is set in objects SACL. This event doesnt contain the name of the deleted object (only the Handle ID). It is better to use "4663(S): An attempt was made to access an object" with DELETE access to track object deletion. The advantage of this event is that its generated only during real delete operations. In contrast, "4663(S): An attempt was made to access an object" also generates during other actions, such as object renaming |
| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>HandleId</li><li>ProcessId</li><li>ProcessName</li><li>TransactionId</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,57 @@
| Title | DN_0062_4663_attempt_was_made_to_access_an_object |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. This event generates only if objects SACL has required ACE to handle specific access right use. The main difference with "4656: A handle to an object was requested." event is that 4663 shows that access right was used instead of just requested and 4663 doesnt have Failure events |
| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ObjectServer</li><li>ObjectType</li><li>ObjectName</li><li>HandleId</li><li>AccessList</li><li>AccessMask</li><li>ProcessId</li><li>ProcessName</li><li>ResourceAttributes</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,53 @@
| Title | DN_0063_4697_service_was_installed_in_the_system |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A service was installed in the system |
| **Logging Policy** | <ul><li>[LP0100_windows_audit_security_system_extension](../Logging_Policies/LP0100_windows_audit_security_system_extension.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>ServiceName</li><li>ServiceFileName</li><li>ServiceType</li><li>ServiceStartType</li><li>ServiceAccount</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4697</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T01:36:11.991070500Z" />
<EventRecordID>2778</EventRecordID>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Execution ProcessID="736" ThreadID="2800" />
<Channel>Security</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">atc-win-10$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ServiceName">AppHostSvc</Data>
<Data Name="ServiceFileName">%windir%\\system32\\svchost.exe -k apphost</Data>
<Data Name="ServiceType">0x20</Data>
<Data Name="ServiceStartType">2</Data>
<Data Name="ServiceAccount">localSystem</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,50 @@
| Title | DN_0064_4698_scheduled_task_was_created |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a new scheduled task is created |
| **Logging Policy** | <ul><li>[LP0041_windows_audit_other_object_access_events](../Logging_Policies/LP0041_windows_audit_other_object_access_events.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TaskName</li><li>TaskContent</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:03:06.944522200Z" />
<EventRecordID>344740</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,50 @@
| Title | DN_0065_4701_scheduled_task_was_disabled |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a scheduled task is disabled |
| **Logging Policy** | <ul><li>[LP0041_windows_audit_other_object_access_events](../Logging_Policies/LP0041_windows_audit_other_object_access_events.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TaskName</li><li>TaskContent</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4701</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:45.844066600Z" />
<EventRecordID>344860</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4364" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,50 @@
| Title | DN_0066_4704_user_right_was_assigned |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time local user right policy is changed and user right was assigned to an account. You will see unique event for every user |
| **Logging Policy** | <ul><li>[LP0105_windows_audit_authorization_policy_change](../Logging_Policies/LP0105_windows_audit_authorization_policy_change.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4704.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4704.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>TargetSid</li><li>PrivilegeList</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4704</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-02T22:08:07.136050600Z" />
<EventRecordID>1049866</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="1216" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="PrivilegeList">SeAuditPrivilege SeIncreaseWorkingSetPrivilege</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0067_4719_system_audit_policy_was_changed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when the computer's audit policy changes. This event is always logged regardless of the "Audit Policy Change" sub-category setting |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4719.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>CategoryId</li><li>SubcategoryId</li><li>SubcategoryGuid</li><li>AuditPolicyChanges</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4719</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T19:57:09.668217100Z" />
<EventRecordID>1049418</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4668" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CategoryId">%%8274</Data>
<Data Name="SubcategoryId">%%12807</Data>
<Data Name="SubcategoryGuid">{0CCE9223-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8448, %%8450</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,54 @@
| Title | DN_0068_4728_member_was_added_to_security_enabled_global_group |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Member was added to a security-enabled global group |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>MemberName</li><li>MemberSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4728</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-03-11T17:02:55.932712400Z" />
<EventRecordID>4408768</EventRecordID>
<Correlation />
<Execution ProcessID="704" ThreadID="852" />
<Channel>Security</Channel>
<Computer>atc-win-2k16.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=test_user,CN=Users,DC=atc,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-2245550993-2622282683-2531201460-18603</Data>
<Data Name="TargetUserName">Domain Admins</Data>
<Data Name="TargetDomainName">ATC</Data>
<Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-512</Data>
<Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data>
<Data Name="SubjectUserName">demouser</Data>
<Data Name="SubjectDomainName">ATC</Data>
<Data Name="SubjectLogonId">0x109a6c</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,54 @@
| Title | DN_0069_4732_member_was_added_to_security_enabled_local_group |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a new member was added to a security-enabled (security) local group. This event generates on domain controllers, member servers, and workstations |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>MemberName</li><li>MemberSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T03:02:38.563110400Z" />
<EventRecordID>174856</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,54 @@
| Title | DN_0070_4735_security_enabled_local_group_was_changed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a security-enabled (security) local group is changed. This event generates on domain controllers, member servers, and workstations |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4735.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4735.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>SidHistory</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4735</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T02:00:45.537440000Z" />
<EventRecordID>174850</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators\_NEW</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators\_NEW</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,54 @@
| Title | DN_0071_4737_security_enabled_global_group_was_changed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Security-enabled global group was changed |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>SidHistory</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4737</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-03-20T17:02:42.762560800Z" />
<EventRecordID>4408769</EventRecordID>
<Correlation />
<Execution ProcessID="704" ThreadID="852" />
<Channel>Security</Channel>
<Computer>atc-win-2k16.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Domain Admins</Data>
<Data Name="TargetDomainName">ATC</Data>
<Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-512</Data>
<Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data>
<Data Name="SubjectUserName">demouser</Data>
<Data Name="SubjectDomainName">ATC</Data>
<Data Name="SubjectLogonId">0x109a6c</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,54 @@
| Title | DN_0072_4755_security_enabled_universal_group_was_changed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Security-enabled universal group was changed |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>SidHistory</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4755</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-03-20T17:06:43.662560800Z" />
<EventRecordID>4405438</EventRecordID>
<Correlation />
<Execution ProcessID="704" ThreadID="2584" />
<Channel>Security</Channel>
<Computer>atc-win-2k16.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Enterprise Admins</Data>
<Data Name="TargetDomainName">ATC</Data>
<Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-519</Data>
<Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data>
<Data Name="SubjectUserName">demouser</Data>
<Data Name="SubjectDomainName">ATC</Data>
<Data Name="SubjectLogonId">0x109a6c</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,54 @@
| Title | DN_0073_4756_member_was_added_to_a_security_enabled_universal_group |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Member was added to a security-enabled universal group |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>MemberName</li><li>MemberSid</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4756</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-03-20T17:08:41.465560800Z" />
<EventRecordID>4405437</EventRecordID>
<Correlation />
<Execution ProcessID="704" ThreadID="2584" />
<Channel>Security</Channel>
<Computer>atc-win-2k16.atc.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=demouser,CN=Users,DC=atc,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-2245550993-2690282630-2861202560-18603</Data>
<Data Name="TargetUserName">Enterprise Admins</Data>
<Data Name="TargetDomainName">ATC</Data>
<Data Name="TargetSid">S-1-5-21-2245550993-2622282683-2531201460-519</Data>
<Data Name="SubjectUserSid">S-1-5-21-2245550993-2622282683-2531201460-500</Data>
<Data Name="SubjectUserName">test_user</Data>
<Data Name="SubjectDomainName">ATC</Data>
<Data Name="SubjectLogonId">0x109a6c</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,40 @@
| Title | DN_0074_4765_sid_history_was_added_to_an_account |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | SID History was added to an account |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>Subject</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>LogonID</li><li>TargetAccount</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>SourceAccount</li><li>SecurityID</li><li>AccountName</li><li>AdditionalInformation</li><li>Privileges</li><li>SIDList</li></ul> |
## Log Samples
### Raw Log
```
SID History was added to an account.
Subject:
Security ID:%6
Account Name:%7
Account Domain:%8
Logon ID:%9
Target Account:
Security ID:%5
Account Name:%3
Account Domain:%4
Source Account:
Security ID:%2
Account Name:%1
Additional Information:
Privileges:%10
SID List:%11
```

View File

@ -0,0 +1,38 @@
| Title | DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An attempt to add SID History to an account failed |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>Subject</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>LogonID</li><li>TargetAccount</li><li>SecurityID</li><li>AccountName</li><li>AccountDomain</li><li>SourceAccount</li><li>AccountName</li><li>AdditionalInformation</li><li>Privileges</li></ul> |
## Log Samples
### Raw Log
```
An attempt to add SID History to an account failed.
Subject:
Security ID:-
Account Name:%5
Account Domain:%6
Logon ID:%7
Target Account:
Security ID:%4
Account Name:%2
Account Domain:%3
Source Account:
Account Name:%1
Additional Information:
Privileges:%8
```

View File

@ -0,0 +1,58 @@
| Title | DN_0076_4768_kerberos_authentication_ticket_was_requested |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). This event generates only on domain controllers. If TGT issue fails then you will see Failure event with Result Code field not equal to "0x0" |
| **Logging Policy** | <ul><li>[LP0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>ServiceName</li><li>ServiceSid</li><li>TicketOptions</li><li>Status</li><li>TicketEncryptionType</li><li>PreAuthType</li><li>IpAddress</li><li>IpPort</li><li>CertIssuerName</li><li>CertSerialNumber</li><li>CertThumbprint</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" />
<EventRecordID>166747</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49273</Data>
<Data Name="CertIssuerName">contoso-DC01-CA-1</Data>
<Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data>
<Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,55 @@
| Title | DN_0077_4769_kerberos_service_ticket_was_requested |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request. This event generates only on domain controllers. If TGS issue fails then you will see Failure event with Failure Code field not equal to "0x0" |
| **Logging Policy** | <ul><li>[LP0106_windows_audit_kerberos_service_ticket_operations](../Logging_Policies/LP0106_windows_audit_kerberos_service_ticket_operations.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>ServiceName</li><li>ServiceSid</li><li>TicketOptions</li><li>TicketEncryptionType</li><li>IpAddress</li><li>IpPort</li><li>Status</li><li>LogonGuid</li><li>TransmittedServices</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4769</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
<EventRecordID>166746</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin@CONTOSO.LOCAL</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">WIN2008R2$</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
<Data Name="TicketOptions">0x40810000</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49272</Data>
<Data Name="Status">0x0</Data>
<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
<Data Name="TransmittedServices">-</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,55 @@
| Title | DN_0078_4771_kerberos_pre_authentication_failed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesnt have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the users password has expired, or the wrong password was provided. This event generates only on domain controllers |
| **Logging Policy** | <ul><li>[LP0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetSid</li><li>ServiceName</li><li>TicketOptions</li><li>Status</li><li>PreAuthType</li><li>IpAddress</li><li>IpPort</li><li>CertIssuerName</li><li>CertSerialNumber</li><li>CertThumbprint</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" />
<EventRecordID>166708</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49254</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
```

View File

@ -0,0 +1,48 @@
| Title | DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time that a credential validation occurs using NTLM authentication. This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative |
| **Logging Policy** | <ul><li>[LP0107_windows_audit_credential_validation](../Logging_Policies/LP0107_windows_audit_credential_validation.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4776.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4776.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>PackageName</li><li>TargetUserName</li><li>Workstation</li><li>Status</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" />
<EventRecordID>165437</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="Workstation">WIN81</Data>
<Data Name="Status">0xc0000234</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,53 @@
| Title | DN_0080_5859_wmi_activity |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-WMI-Activity/Operational |
| **Provider** | Microsoft-Windows-WMI-Activity |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>NamespaceName</li><li>Query</li><li>ProcessID</li><li>Provider</li><li>queryid</li><li>PossibleCause</li><li>CorrelationActivityID</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
<EventID>5859</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-08T09:37:37.108925700Z" />
<EventRecordID>57003</EventRecordID>
<Correlation ActivityID="{10490123-32E3-0000-B1F0-46D991BFD401}" />
<Execution ProcessID="436" ThreadID="3076" />
<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <Operation_EssStarted xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
<NamespaceName>//./root/cimv2</NamespaceName>
<Query>select * from MSFT_SCMEventLogEvent</Query>
<User>S-1-5-32-544</User>
<Processid>436</Processid>
<Provider>SCM Event Provider</Provider>
<queryid>0</queryid>
<PossibleCause>Permanent</PossibleCause>
</Operation_EssStarted>
</UserData>
</Event>
```

View File

@ -0,0 +1,50 @@
| Title | DN_0081_5861_wmi_activity |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | WMI Event which provide ability to catch Timer-based WMI Events and provide usefult information for identification of suspicious WMI activity |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity](https://www.darkoperator.com/blog/2017/10/14/basics-of-tracking-wmi-activity)</li><li>[https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-WMI-Activity/Operational |
| **Provider** | Microsoft-Windows-WMI-Activity |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>Namespace</li><li>ESS</li><li>Consumer</li><li>PossibleCause</li><li>CreatorSID</li><li>EventNamespace</li><li>Query</li><li>QueryLanguage</li><li>EventFilter</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}" />
<EventID>5861</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2019-02-06T20:23:40.952921100Z" />
<EventRecordID>56793</EventRecordID>
<Correlation />
<Execution ProcessID="1416" ThreadID="2244" />
<Channel>Microsoft-Windows-WMI-Activity/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <Operation_ESStoConsumerBinding xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
<Namespace>//./ROOT/Subscription</Namespace>
<ESS>SCM Event Log Filter</ESS>
<CONSUMER>NTEventLogEventConsumer="SCM Event Log Consumer"</CONSUMER>
<PossibleCause>Binding EventFilter: instance of __EventFilter { CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventNamespace = "root\\cimv2"; Name = "SCM Event Log Filter"; Query = "select * from MSFT_SCMEventLogEvent"; QueryLanguage = "WQL"; }; Perm. Consumer: instance of NTEventLogEventConsumer { Category = 0; CreatorSID = {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0}; EventType = 1; Name = "SCM Event Log Consumer"; NameOfUserSIDProperty = "sid"; SourceName = "Service Control Manager"; };</PossibleCause>
</Operation_ESStoConsumerBinding>
</UserData>
</Event>
```

View File

@ -0,0 +1,49 @@
| Title | DN_0082_8002_ntlm_server_blocked_audit |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. Actually it's just event about NTLM authentication, it doesn't necessary supposed to be blocked. Blocked NTLM auth is the same provider but Event ID 4002 |
| **Logging Policy** | <ul><li>[LP0044_windows_ntlm_audit](../Logging_Policies/LP0044_windows_ntlm_audit.md)</li></ul> |
| **References** | <ul><li>[https://twitter.com/JohnLaTwC/status/1004895902010507266](https://twitter.com/JohnLaTwC/status/1004895902010507266)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-NTLM/Operational |
| **Provider** | Microsoft-Windows-NTLM |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>CallerPID</li><li>ProcessName</li><li>ClientLUID</li><li>ClientUserName</li><li>ClientDomainName</li><li>MechanismOID</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-NTLM" Guid="{AC43300D-5FCC-4800-8E99-1BD3F85F0320}" />
<EventID>8002</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-03-02T23:00:00.746139000Z" />
<EventRecordID>12</EventRecordID>
<Correlation />
<Execution ProcessID="468" ThreadID="2660" />
<Channel>Microsoft-Windows-NTLM/Operational</Channel>
<Computer>dc.yugoslavskiy.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="CallerPID">4</Data>
<Data Name="ProcessName" />
<Data Name="ClientLUID">0x3e7</Data>
<Data Name="ClientUserName">DC$</Data>
<Data Name="ClientDomainName">atc</Data>
<Data Name="MechanismOID">1.3.6.1.4.1.311.2.2.10</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,48 @@
| Title | DN_0083_16_access_history_in_hive_was_cleared |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The access history in hive was cleared updating X keys and creating Y modified pages |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[http://www.eventid.net/display-eventid-16-source-Microsoft-Windows-Kernel-General-eventno-11563-phase-1.htm](http://www.eventid.net/display-eventid-16-source-Microsoft-Windows-Kernel-General-eventno-11563-phase-1.htm)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | Microsoft-Windows-Kernel-General |
| **Fields** | <ul><li>EventID</li><li>Hostname</li><li>Computer</li><li>HiveNameLength</li><li>HiveName</li><li>KeysUpdated</li><li>DirtyPages</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
<EventID>16</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-01-12T03:18:59.347973200Z" />
<EventRecordID>1705</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="540" />
<Channel>System</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="HiveNameLength">31</Data>
<Data Name="HiveName">\SystemRoot\System32\Config\SAM</Data>
<Data Name="KeysUpdated">65</Data>
<Data Name="DirtyPages">7</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,59 @@
| Title | DN_0084_av_alert |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Anti-virus alert |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[None](None)</li></ul> |
| **Platform** | antivirus |
| **Type** | None |
| **Channel** | None |
| **Provider** | None |
| **Fields** | <ul><li>Hostname</li><li>Signature</li><li>AlertTitle</li><li>Category</li><li>Severity</li><li>Sha1</li><li>FileName</li><li>FilePath</li><li>IpAddress</li><li>UserName</li><li>UserDomain</li><li>FileHash</li><li>Hashes</li><li>Imphash</li><li>Sha256hash</li><li>Sha1hash</li><li>Md5hash</li></ul> |
## Log Samples
### Raw Log
```
{
"AlertTime":"2017-01-23T07:32:54.1861171Z",
"ComputerDnsName":"desktop-bvccckk",
"AlertTitle":"Suspicious PowerShell commandline",
"Category":"SuspiciousActivity",
"Severity":"Medium",
"AlertId":"636207535742330111_-1114309685",
"Actor":null,
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
"IocName":null,
"IocValue":null,
"CreatorIocName":null,
"CreatorIocValue":null,
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
"FileName":"powershell.exe",
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
"IpAddress":null,
"Url":null,
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
"UserName":null,
"AlertPart":0,
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
"ThreatCategory":null,
"ThreatFamily":null,
"ThreatName":null,
"RemediationAction":null,
"RemediationIsSuccess":null,
"Source":"Windows Defender ATP",
"Md5":null,
"Sha256":null,
"WasExecutingWhileDetected":null,
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"
}
```

View File

@ -0,0 +1,52 @@
| Title | DN_0085_22_windows_sysmon_DnsQuery |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when a process executes a DNS query, whether the result is successful or fails, cached or not |
| **Logging Policy** | <ul><li>[LP0011_windows_sysmon_DnsQuery](../Logging_Policies/LP0011_windows_sysmon_DnsQuery.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-22.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-22.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |
| **Channel** | Microsoft-Windows-Sysmon/Operational |
| **Provider** | Microsoft-Windows-Sysmon |
| **Fields** | <ul><li>EventID</li><li>Computer</li><li>Hostname</li><li>UtcTime</li><li>RuleName</li><li>ProcessGuid</li><li>ProcessId</li><li>QueryName</li><li>QueryStatus</li><li>QueryResults</li><li>Image</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>22</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>22</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2019-06-24T00:56:52.053368800Z" />
<EventRecordID>2637</EventRecordID>
<Correlation />
<Execution ProcessID="5956" ThreadID="4672" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>atc-win-10.atc.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName" />
<Data Name="UtcTime">2019-06-24 00:56:50.125</Data>
<Data Name="ProcessGuid">{717CFEC0-1A16-5D10-0000-0010CDEA1F00}</Data>
<Data Name="ProcessId">3192</Data>
<Data Name="QueryName">kibana.atomicthreatcoverage.com</Data>
<Data Name="QueryStatus">0</Data>
<Data Name="QueryResults">::ffff:157.230.126.111;</Data>
<Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,69 @@
| Title | DN_0086_4720_user_account_was_created |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A user account was created |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>TargetUserName</li><li>TargetDomainName</li><li>TargetSid</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PrivilegeList</li><li>SamAccountName</li><li>DisplayName</li><li>UserPrincipalName</li><li>HomeDirectory</li><li>HomePath</li><li>ScriptPath</li><li>ProfilePath</li><li>UserWorkstations</li><li>PasswordLastSet</li><li>AccountExpires</li><li>PrimaryGroupId</li><li>AllowedToDelegateTo</li><li>OldUacValue</li><li>NewUacValue</li><li>UserAccountControl</li><li>UserParameters</li><li>SidHistory</li><li>LogonHours</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-07-11T23:09:42.994762700Z" />
<EventRecordID>1346</EventRecordID>
<Correlation />
<Execution ProcessID="532" ThreadID="564" />
<Channel>Security</Channel>
<Computer>atc-win-2k12</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">newuser</Data>
<Data Name="TargetDomainName">ATC-WIN-2K12</Data>
<Data Name="TargetSid">S-1-5-21-1566719857-3102892733-3273982148-1005</Data>
<Data Name="SubjectUserSid">S-1-5-21-1566719857-3102892733-3273982148-1001</Data>
<Data Name="SubjectUserName">yugoslavskiy</Data>
<Data Name="SubjectDomainName">ATC-WIN-2K12</Data>
<Data Name="SubjectLogonId">0x14c6b</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">newuser</Data>
<Data Name="DisplayName">%%1793</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">%%1793</Data>
<Data Name="HomePath">%%1793</Data>
<Data Name="ScriptPath">%%1793</Data>
<Data Name="ProfilePath">%%1793</Data>
<Data Name="UserWorkstations">%%1793</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x15</Data>
<Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
<Data Name="UserParameters">%%1793</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1797</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,57 @@
| Title | DN_0087_5156_windows_filtering_platform_has_permitted_connection |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The Windows Filtering Platform has permitted a connection |
| **Logging Policy** | <ul><li>[LP0045_windows_audit_filtering_platform_connection](../Logging_Policies/LP0045_windows_audit_filtering_platform_connection.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>ProcessID</li><li>Application</li><li>Direction</li><li>SourceAddress</li><li>SourcePort</li><li>DestAddress</li><li>DestPort</li><li>Protocol</li><li>FilterRTID</li><li>LayerName</li><li>LayerRTID</li><li>RemoteUserID</li><li>RemoteMachineID</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5156</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-07-11T23:32:31.307121600Z" />
<EventRecordID>1360</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="288" />
<Channel>Security</Channel>
<Computer>atc-win-2k12</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4</Data>
<Data Name="Application">System</Data>
<Data Name="Direction">%%14593</Data>
<Data Name="SourceAddress">fe80::e8a5:2a62:cc49:96cb</Data>
<Data Name="SourcePort">143</Data>
<Data Name="DestAddress">ff02::16</Data>
<Data Name="DestPort">0</Data>
<Data Name="Protocol">58</Data>
<Data Name="FilterRTID">67456</Data>
<Data Name="LayerName">%%14611</Data>
<Data Name="LayerRTID">50</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,52 @@
| Title | DN_0088_4616_system_time_was_changed |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The system time was changed |
| **Logging Policy** | <ul><li>[LP0046_windows_audit_security_state_change](../Logging_Policies/LP0046_windows_audit_security_state_change.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |
| **Provider** | Microsoft-Windows-Security-Auditing |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li><li>SubjectUserSid</li><li>SubjectUserName</li><li>SubjectDomainName</li><li>SubjectLogonId</li><li>PreviousTime</li><li>NewTime</li><li>ProcessId</li><li>ProcessName</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4616</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-09T05:04:29.995794600Z" />
<EventRecordID>1101699</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="148" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x48f29</Data>
<Data Name="PreviousTime">2015-10-09T05:04:30.000941900Z</Data>
<Data Name="NewTime">2015-10-09T05:04:30.000000000Z</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe</Data>
</EventData>
</Event>
```

View File

@ -0,0 +1,42 @@
| Title | DN_0089_56_terminal_server_security_layer_detected_an_error |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The Terminal Server security layer detected an error in the protocol stream and has disconnected the client |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[http://www.eventid.net/display-eventid-56-source-TermDD-eventno-9421-phase-1.htm](http://www.eventid.net/display-eventid-56-source-TermDD-eventno-9421-phase-1.htm)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | TermDD |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="TermDD" />
<EventID Qualifiers="49162">56</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-07-11T22:26:42.723Z" />
<EventRecordID>147091</EventRecordID>
<Channel>System</Channel>
<Computer>atc-demo</Computer>
<Security />
</System>
- <EventData>
<Data>\Device\Termdd</Data>
<Binary>00050600010000000000000038000AC00000000039000AC00000000000000000000000000000000030030980</Binary>
</EventData>
</Event>
```

View File

@ -0,0 +1,42 @@
| Title | DN_0090_50_terminal_server_security_layer_detected_an_error |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The RDP protocol component <component> detected an error in the protocol stream and has disconnected the client |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[http://www.eventid.net/display-eventid-50-source-TermDD-eventno-606-phase-1.htm](http://www.eventid.net/display-eventid-50-source-TermDD-eventno-606-phase-1.htm)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | System |
| **Provider** | TermDD |
| **Fields** | <ul><li>EventID</li><li>ComputerName</li><li>Computer</li><li>Hostname</li></ul> |
## Log Samples
### Raw Log
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="TermDD" />
<EventID Qualifiers="49162">50</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-07-12T02:37:29.871133100Z" />
<EventRecordID>5483</EventRecordID>
<Channel>System</Channel>
<Computer>atc-win-7</Computer>
<Security />
</System>
- <EventData>
<Data>\Device\Termdd</Data>
<Data>X.224</Data>
<Binary>00000B00020034000000000032000AC00000000032000AC0000000000000000000000000000000000B00000016030100C30100</Binary>
</EventData>
</Event>
```

View File

@ -0,0 +1,25 @@
| Title | DN_0091_linux_modsecurity_log |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Mod_security (Web Application Firewall) audit/error log |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.nginx.com/blog/modsecurity-logging-and-debugging/](https://www.nginx.com/blog/modsecurity-logging-and-debugging/)</li><li>[https://www.cryptobells.com/mod_security-json-audit-logs-revisited/](https://www.cryptobells.com/mod_security-json-audit-logs-revisited/)</li></ul> |
| **Platform** | Linux |
| **Type** | modsecurity |
| **Channel** | modsecurity |
| **Provider** | modsecurity |
| **Fields** | <ul><li>timestamp</li><li>hostname</li><li>client</li><li>uri</li></ul> |
## Log Samples
### Raw Log
```
[Thu Jul 02 04:14:31 2018] [error] [client 190.222.135.100] mod_security: Access denied with code 500. Pattern match "SomePattern" at HEADER("USER-AGENT") [hostname "samplesite.com"] [uri "/some/uri"]
```

View File

@ -0,0 +1,25 @@
| Title | DN_0092_unix_generic_syslog |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Unix generic syslog |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml](https://github.com/Neo23x0/sigma/blob/master/rules/linux/lnx_buffer_overflows.yml)</li></ul> |
| **Platform** | Unix |
| **Type** | generic |
| **Channel** | syslog |
| **Provider** | syslog |
| **Fields** | <ul><li>timestamp</li><li>uid</li><li>message</li></ul> |
## Log Samples
### Raw Log
```
Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0
```

View File

@ -0,0 +1,25 @@
| Title | DN_0093_linux_clamav_log |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux ClamAV anti-virus logs |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://www.clamav.net](https://www.clamav.net)</li><li>[https://docs.pivotal.io/addon-antivirus/1-4/monitoring-logs.html](https://docs.pivotal.io/addon-antivirus/1-4/monitoring-logs.html)</li><li>[https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml](https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml)</li></ul> |
| **Platform** | Linux |
| **Type** | None |
| **Channel** | ClamAV |
| **Provider** | ClamAV |
| **Fields** | <ul><li>Hostname</li><li>Signature</li><li>FileName</li><li>FilePath</li></ul> |
## Log Samples
### Raw Log
```
/var/vcap/data/test.txt: Eicar-Test-Signature FOUND
```

View File

@ -0,0 +1,25 @@
| Title | DN_0094_linux_sshd_log |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | OpenSSH SSH daemon (sshd) log |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting](https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting)</li></ul> |
| **Platform** | Linux |
| **Type** | auth |
| **Channel** | auth.log |
| **Provider** | sshd |
| **Fields** | <ul><li>Hostname</li><li>UserName</li><li>Daemon</li><li>Program</li><li>Message</li></ul> |
## Log Samples
### Raw Log
```
May 18 16:41:20 hostname sshd[890]: error: buffer_get_string_ret: buffer_get failed
```

View File

@ -0,0 +1,25 @@
| Title | DN_0095_linux_auth_pam_log |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux Pluggable Authentication Modules (PAM) authentication log |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[http://manpages.ubuntu.com/manpages/trusty/en/man7/pam.7.html](http://manpages.ubuntu.com/manpages/trusty/en/man7/pam.7.html)</li></ul> |
| **Platform** | Linux |
| **Type** | auth |
| **Channel** | auth.log |
| **Provider** | pam |
| **Fields** | <ul><li>Hostname</li><li>UserName</li><li>Daemon</li><li>Message</li><li>pam_service</li><li>pam_user</li><li>pam_unix</li><li>pam_tty</li><li>pam_ruser</li><li>pam_rhost</li><li>pam_type</li><li>pam_authtok</li><li>pam_message</li><li>uid</li><li>logname</li><li>uid</li><li>euid</li><li>tty</li><li>ruser</li><li>rhost</li></ul> |
## Log Samples
### Raw Log
```
May 18 16:41:20 hostname service: (pam_unix) authentication failure; logname= uid=33 euid=33 tty= ruser= rhost= user=root
```

View File

@ -0,0 +1,25 @@
| Title | DN_0096_linux_named_client_security_log |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux named (BIND) messages relating to client access and security |
| **Logging Policy** | <ul><li>[LP0034_linux_named_client_security_log](../Logging_Policies/LP0034_linux_named_client_security_log.md)</li></ul> |
| **References** | <ul><li>[https://kb.isc.org/docs/aa-01526](https://kb.isc.org/docs/aa-01526)</li><li>[http://jhurani.com/linux/2013/02/12/named-disable-xfer.html](http://jhurani.com/linux/2013/02/12/named-disable-xfer.html)</li></ul> |
| **Platform** | Linux |
| **Type** | client_security_log |
| **Channel** | client_security_log |
| **Provider** | named |
| **Fields** | <ul><li>Hostname</li><li>ClientIP</li><li>ClientPort</li><li>ZoneTransferDomain</li><li>Message</li></ul> |
## Log Samples
### Raw Log
```
28-Aug-2019 02:03:13.739 security: error: client 192.168.0.2#53274 (atc.local): zone transfer 'atc.local/AXFR/IN' denied
```

View File

@ -0,0 +1,25 @@
| Title | DN_0097_linux_daemon_log |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The daemons log at /var/log/daemon.log and contains information about running system and application daemons |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://help.ubuntu.com/community/LinuxLogFiles](https://help.ubuntu.com/community/LinuxLogFiles)</li></ul> |
| **Platform** | Linux |
| **Type** | daemon |
| **Channel** | daemon.log |
| **Provider** | many |
| **Fields** | <ul><li>Hostname</li><li>Daemon</li><li>Program</li><li>Message</li></ul> |
## Log Samples
### Raw Log
```
Aug 28 23:39:09 debian-9-x64-atc named[32010]: exiting (due to fatal error)
```

View File

@ -0,0 +1,25 @@
| Title | DN_0098_linux_vsftpd_log |
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | vsftpd (FTP server) log |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://en.wikipedia.org/wiki/Vsftpd](https://en.wikipedia.org/wiki/Vsftpd)</li><li>[https://security.appspot.com/vsftpd.html](https://security.appspot.com/vsftpd.html)</li></ul> |
| **Platform** | Linux |
| **Type** | vsftpd.log |
| **Channel** | vsftpd.log |
| **Provider** | vsftpd |
| **Fields** | <ul><li>Hostname</li><li>Daemon</li><li>Program</li><li>ClientIP</li><li>PID</li><li>Message</li></ul> |
## Log Samples
### Raw Log
```
Sat Jun 2 11:20:19 2018 [pid 3616] CONNECT: Client "ip", "Connection refused: too many sessions for this address."
```

Some files were not shown because too many files have changed in this diff Show More