valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 01:25:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

revert data naming scheme

Browse Source
This commit is contained in:
Yugoslavskiy Daniil 2020-11-04 16:02:52 +01:00
parent 7ffa14d1c4
commit d361284407
61 changed files with 59 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows process creation log, not including command line |
| **Logging Policy** | <ul><li>[LP0001_windows_audit_process_creation](../Logging_Policies/LP0001_windows_audit_process_creation.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows process creation log, including command line |
| **Logging Policy** | <ul><li>[LP0001_windows_audit_process_creation](../Logging_Policies/LP0001_windows_audit_process_creation.md)</li><li>[LP0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0001_windows_audit_process_creation](../Logging_Policies/LP_0001_windows_audit_process_creation.md)</li><li>[LP_0002_windows_audit_process_creation_with_commandline](../Logging_Policies/LP_0002_windows_audit_process_creation_with_commandline.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4688.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Windows process creation log, including command line |
| **Logging Policy** | <ul><li>[LP0003_windows_sysmon_process_creation](../Logging_Policies/LP0003_windows_sysmon_process_creation.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0003_windows_sysmon_process_creation](../Logging_Policies/LP_0003_windows_sysmon_process_creation.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An account was successfully logged on |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4624.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | TCP/UDP connections made by a process |
| **Logging Policy** | <ul><li>[LP0005_windows_sysmon_network_connection](../Logging_Policies/LP0005_windows_sysmon_network_connection.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0005_windows_sysmon_network_connection](../Logging_Policies/LP_0005_windows_sysmon_network_connection.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90003)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-3.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The image loaded event logs when a module is loaded in a specific process |
| **Logging Policy** | <ul><li>[LP0006_windows_sysmon_image_loaded](../Logging_Policies/LP0006_windows_sysmon_image_loaded.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0006_windows_sysmon_image_loaded](../Logging_Policies/LP_0006_windows_sysmon_image_loaded.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90007)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-7.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The process accessed event reports when a process opens another process, an operation thats often followed by information queries or reading and writing the address space of the target process |
| **Logging Policy** | <ul><li>[LP0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0007_windows_sysmon_ProcessAccess](../Logging_Policies/LP_0007_windows_sysmon_ProcessAccess.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90010)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-10.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection |
| **Logging Policy** | <ul><li>[LP0008_windows_sysmon_FileCreate](../Logging_Policies/LP0008_windows_sysmon_FileCreate.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0008_windows_sysmon_FileCreate](../Logging_Policies/LP_0008_windows_sysmon_FileCreate.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-11.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication |
| **Logging Policy** | <ul><li>[LP0009_windows_sysmon_PipeEvent](../Logging_Policies/LP0009_windows_sysmon_PipeEvent.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0009_windows_sysmon_PipeEvent](../Logging_Policies/LP_0009_windows_sysmon_PipeEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-17.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90017)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event logs when a named pipe connection is made between a client and a server |
| **Logging Policy** | <ul><li>[LP0009_windows_sysmon_PipeEvent](../Logging_Policies/LP0009_windows_sysmon_PipeEvent.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0009_windows_sysmon_PipeEvent](../Logging_Policies/LP_0009_windows_sysmon_PipeEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-18.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90018)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression |
| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-19.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90019)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event logs the registration of WMI consumers, recording the consumer name, log, and destination |
| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-20.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90020)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | When a consumer binds to a filter, this event logs the consumer name and filter path |
| **Logging Policy** | <ul><li>[LP0010_windows_sysmon_WmiEvent](../Logging_Policies/LP0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0010_windows_sysmon_WmiEvent](../Logging_Policies/LP_0010_windows_sysmon_WmiEvent.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-21.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90021)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A directory service object was modified |
| **Logging Policy** | <ul><li>[LP0025_windows_audit_directory_service_changes](../Logging_Policies/LP0025_windows_audit_directory_service_changes.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0025_windows_audit_directory_service_changes](../Logging_Policies/LP_0025_windows_audit_directory_service_changes.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5136.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | User object is changed |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4738.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Directory Services Restore Mode (DSRM) administrator password is changed |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A handle was requested for either an Active Directory object or a Security Account Manager (SAM) object |
| **Logging Policy** | <ul><li>[LP0027_windows_audit_directory_service_access](../Logging_Policies/LP0027_windows_audit_directory_service_access.md)</li><li>[LP0028_windows_audit_sam](../Logging_Policies/LP0028_windows_audit_sam.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)</li><li>[LP_0028_windows_audit_sam](../Logging_Policies/LP_0028_windows_audit_sam.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4794.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An operation was performed on an Active Directory object |
| **Logging Policy** | <ul><li>[LP0027_windows_audit_directory_service_access](../Logging_Policies/LP0027_windows_audit_directory_service_access.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0027_windows_audit_directory_service_access](../Logging_Policies/LP_0027_windows_audit_directory_service_access.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-4662.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName |
| **Logging Policy** | <ul><li>[LP0029_windows_audit_detailed_file_share](../Logging_Policies/LP0029_windows_audit_detailed_file_share.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0029_windows_audit_detailed_file_share](../Logging_Policies/LP_0029_windows_audit_detailed_file_share.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5145.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Network share object (file or folder) was accessed |
| **Logging Policy** | <ul><li>[LP0030_windows_audit_file_share](../Logging_Policies/LP0030_windows_audit_file_share.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0030_windows_audit_file_share](../Logging_Policies/LP_0030_windows_audit_file_share.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/event-5140.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0036_4104_windows_powershell_script_block.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event records script |
| **Logging Policy** | <ul><li>[LP0109_windows_powershell_script_block_logging](../Logging_Policies/LP0109_windows_powershell_script_block_logging.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0109_windows_powershell_script_block_logging](../Logging_Policies/LP_0109_windows_powershell_script_block_logging.md)</li></ul> |
| **References** | <ul><li>[https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4104.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event records pipeline execution, including variable initialization and command command invocations. |
| **Logging Policy** | <ul><li>[LP0108_windows_powershell_module_logging](../Logging_Policies/LP0108_windows_powershell_module_logging.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0108_windows_powershell_module_logging](../Logging_Policies/LP_0108_windows_powershell_module_logging.md)</li></ul> |
| **References** | <ul><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/powershell/events/event-4103.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0040_528_user_successfully_logged_on_to_a_computer.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | User successfully logged on to a computer |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0041_529_logon_failure.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Logon Failure - Unknown user name or bad password |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0042_675_kerberos_preauthentication_failed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Kerberos pre-authentication failed |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0054_linux_auditd_execve.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux auditd log of process (binary) execution (execeve syscall) with command line arguments |
| **Logging Policy** | <ul><li>[LP0031_linux_auditd_execve](../Logging_Policies/LP0031_linux_auditd_execve.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0031_linux_auditd_execve](../Logging_Policies/LP_0031_linux_auditd_execve.md)</li></ul> |
| **References** | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li></ul> |
| **Platform** | Linux |
| **Type** | EXECVE |

2
Atomic_Threat_Coverage/Data_Needed/DN_0055_linux_auditd_read_access_to_file.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux auditd log of read access to file |
| **Logging Policy** | <ul><li>[LP0034_linux_auditd_read_access_to_file](../Logging_Policies/LP0034_linux_auditd_read_access_to_file.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0034_linux_auditd_read_access_to_file](../Logging_Policies/LP_0034_linux_auditd_read_access_to_file.md)</li></ul> |
| **References** | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li></ul> |
| **Platform** | Linux |
| **Type** | PATH |

2
Atomic_Threat_Coverage/Data_Needed/DN_0056_linux_auditd_syscall.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux auditd log of specific system call (syscall) |
| **Logging Policy** | <ul><li>[LP0033_linux_auditd_syscall](../Logging_Policies/LP0033_linux_auditd_syscall.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0033_linux_auditd_syscall](../Logging_Policies/LP_0033_linux_auditd_syscall.md)</li></ul> |
| **References** | <ul><li>[https://github.com/linux-audit/audit-documentation](https://github.com/linux-audit/audit-documentation)</li><li>[https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv](https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv)</li><li>[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/app-audit_reference)</li><li>[https://access.redhat.com/solutions/36278](https://access.redhat.com/solutions/36278)</li><li>[https://filippo.io/linux-syscall-table/](https://filippo.io/linux-syscall-table/)</li></ul> |
| **Platform** | Linux |
| **Type** | SYSCALL |

2
Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An account failed to log on |
| **Logging Policy** | <ul><li>[LP0004_windows_audit_logon](../Logging_Policies/LP0004_windows_audit_logon.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0004_windows_audit_logon](../Logging_Policies/LP_0004_windows_audit_logon.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4625.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. If access was declined, a Failure event is generated. This event generates only if the objects SACL has the required ACE to handle the use of specific access rights |
| **Logging Policy** | <ul><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0104_windows_audit_removable_storage](../Logging_Policies/LP_0104_windows_audit_removable_storage.md)</li><li>[LP_0039_windows_audit_kernel_object](../Logging_Policies/LP_0039_windows_audit_kernel_object.md)</li><li>[LP_0102_windows_audit_file_system](../Logging_Policies/LP_0102_windows_audit_file_system.md)</li><li>[LP_0103_windows_audit_registry](../Logging_Policies/LP_0103_windows_audit_registry.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4656.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0059_4657_registry_value_was_modified.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when a registry key value was modified. It doesn't generate when a registry key was modified. This event generates only if "Set Value" auditing is set in registry keys SACL |
| **Logging Policy** | <ul><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0103_windows_audit_registry](../Logging_Policies/LP_0103_windows_audit_registry.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4657.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. This event generates only if Success auditing is enabled for Audit Handle Manipulation subcategory. Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance |
| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0042_windows_audit_handle_manipulation](../Logging_Policies/LP0042_windows_audit_handle_manipulation.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0102_windows_audit_file_system](../Logging_Policies/LP_0102_windows_audit_file_system.md)</li><li>[LP_0042_windows_audit_handle_manipulation](../Logging_Policies/LP_0042_windows_audit_handle_manipulation.md)</li><li>[LP_0039_windows_audit_kernel_object](../Logging_Policies/LP_0039_windows_audit_kernel_object.md)</li><li>[LP_0103_windows_audit_registry](../Logging_Policies/LP_0103_windows_audit_registry.md)</li><li>[LP_0104_windows_audit_removable_storage](../Logging_Policies/LP_0104_windows_audit_removable_storage.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4658.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0061_4660_object_was_deleted.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when an object was deleted. The object could be a file system, kernel, or registry object. This event generates only if "Delete" auditing is set in objects SACL. This event doesnt contain the name of the deleted object (only the Handle ID). It is better to use "4663(S): An attempt was made to access an object" with DELETE access to track object deletion. The advantage of this event is that its generated only during real delete operations. In contrast, "4663(S): An attempt was made to access an object" also generates during other actions, such as object renaming |
| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0102_windows_audit_file_system](../Logging_Policies/LP_0102_windows_audit_file_system.md)</li><li>[LP_0039_windows_audit_kernel_object](../Logging_Policies/LP_0039_windows_audit_kernel_object.md)</li><li>[LP_0103_windows_audit_registry](../Logging_Policies/LP_0103_windows_audit_registry.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. This event generates only if objects SACL has required ACE to handle specific access right use. The main difference with "4656: A handle to an object was requested." event is that 4663 shows that access right was used instead of just requested and 4663 doesnt have Failure events |
| **Logging Policy** | <ul><li>[LP0102_windows_audit_file_system](../Logging_Policies/LP0102_windows_audit_file_system.md)</li><li>[LP0039_windows_audit_kernel_object](../Logging_Policies/LP0039_windows_audit_kernel_object.md)</li><li>[LP0103_windows_audit_registry](../Logging_Policies/LP0103_windows_audit_registry.md)</li><li>[LP0104_windows_audit_removable_storage](../Logging_Policies/LP0104_windows_audit_removable_storage.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0102_windows_audit_file_system](../Logging_Policies/LP_0102_windows_audit_file_system.md)</li><li>[LP_0039_windows_audit_kernel_object](../Logging_Policies/LP_0039_windows_audit_kernel_object.md)</li><li>[LP_0103_windows_audit_registry](../Logging_Policies/LP_0103_windows_audit_registry.md)</li><li>[LP_0104_windows_audit_removable_storage](../Logging_Policies/LP_0104_windows_audit_removable_storage.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4663.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A service was installed in the system |
| **Logging Policy** | <ul><li>[LP0100_windows_audit_security_system_extension](../Logging_Policies/LP0100_windows_audit_security_system_extension.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0100_windows_audit_security_system_extension](../Logging_Policies/LP_0100_windows_audit_security_system_extension.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0064_4698_scheduled_task_was_created.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a new scheduled task is created |
| **Logging Policy** | <ul><li>[LP0041_windows_audit_other_object_access_events](../Logging_Policies/LP0041_windows_audit_other_object_access_events.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0041_windows_audit_other_object_access_events](../Logging_Policies/LP_0041_windows_audit_other_object_access_events.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4698.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0065_4701_scheduled_task_was_disabled.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a scheduled task is disabled |
| **Logging Policy** | <ul><li>[LP0041_windows_audit_other_object_access_events](../Logging_Policies/LP0041_windows_audit_other_object_access_events.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0041_windows_audit_other_object_access_events](../Logging_Policies/LP_0041_windows_audit_other_object_access_events.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4701.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0066_4704_user_right_was_assigned.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time local user right policy is changed and user right was assigned to an account. You will see unique event for every user |
| **Logging Policy** | <ul><li>[LP0105_windows_audit_authorization_policy_change](../Logging_Policies/LP0105_windows_audit_authorization_policy_change.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0105_windows_audit_authorization_policy_change](../Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4704.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4704.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0068_4728_member_was_added_to_security_enabled_global_group.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Member was added to a security-enabled global group |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0101_windows_audit_security_group_management](../Logging_Policies/LP_0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0069_4732_member_was_added_to_security_enabled_local_group.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a new member was added to a security-enabled (security) local group. This event generates on domain controllers, member servers, and workstations |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0101_windows_audit_security_group_management](../Logging_Policies/LP_0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4732.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0070_4735_security_enabled_local_group_was_changed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time a security-enabled (security) local group is changed. This event generates on domain controllers, member servers, and workstations |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0101_windows_audit_security_group_management](../Logging_Policies/LP_0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4735.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4735.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0071_4737_security_enabled_global_group_was_changed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Security-enabled global group was changed |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0101_windows_audit_security_group_management](../Logging_Policies/LP_0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4737)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0072_4755_security_enabled_universal_group_was_changed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Security-enabled universal group was changed |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0101_windows_audit_security_group_management](../Logging_Policies/LP_0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4755)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0073_4756_member_was_added_to_a_security_enabled_universal_group.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Member was added to a security-enabled universal group |
| **Logging Policy** | <ul><li>[LP0101_windows_audit_security_group_management](../Logging_Policies/LP0101_windows_audit_security_group_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0101_windows_audit_security_group_management](../Logging_Policies/LP_0101_windows_audit_security_group_management.md)</li></ul> |
| **References** | <ul><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4756)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0074_4765_sid_history_was_added_to_an_account.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | SID History was added to an account |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | An attempt to add SID History to an account failed |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). This event generates only on domain controllers. If TGT issue fails then you will see Failure event with Result Code field not equal to "0x0" |
| **Logging Policy** | <ul><li>[LP0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP_0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4768.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request. This event generates only on domain controllers. If TGS issue fails then you will see Failure event with Failure Code field not equal to "0x0" |
| **Logging Policy** | <ul><li>[LP0106_windows_audit_kerberos_service_ticket_operations](../Logging_Policies/LP0106_windows_audit_kerberos_service_ticket_operations.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0106_windows_audit_kerberos_service_ticket_operations](../Logging_Policies/LP_0106_windows_audit_kerberos_service_ticket_operations.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4769.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesnt have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the users password has expired, or the wrong password was provided. This event generates only on domain controllers |
| **Logging Policy** | <ul><li>[LP0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0038_windows_audit_kerberos_authentication_service](../Logging_Policies/LP_0038_windows_audit_kerberos_authentication_service.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates every time that a credential validation occurs using NTLM authentication. This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative |
| **Logging Policy** | <ul><li>[LP0107_windows_audit_credential_validation](../Logging_Policies/LP0107_windows_audit_credential_validation.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0107_windows_audit_credential_validation](../Logging_Policies/LP_0107_windows_audit_credential_validation.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4776.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4776.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0082_8002_ntlm_server_blocked_audit.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. Actually it's just event about NTLM authentication, it doesn't necessary supposed to be blocked. Blocked NTLM auth is the same provider but Event ID 4002 |
| **Logging Policy** | <ul><li>[LP0044_windows_ntlm_audit](../Logging_Policies/LP0044_windows_ntlm_audit.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0044_windows_ntlm_audit](../Logging_Policies/LP_0044_windows_ntlm_audit.md)</li></ul> |
| **References** | <ul><li>[https://twitter.com/JohnLaTwC/status/1004895902010507266](https://twitter.com/JohnLaTwC/status/1004895902010507266)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0085_22_windows_sysmon_DnsQuery.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | This event generates when a process executes a DNS query, whether the result is successful or fails, cached or not |
| **Logging Policy** | <ul><li>[LP0011_windows_sysmon_DnsQuery](../Logging_Policies/LP0011_windows_sysmon_DnsQuery.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0011_windows_sysmon_DnsQuery](../Logging_Policies/LP_0011_windows_sysmon_DnsQuery.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-22-dnsevent-dns-query)</li><li>[https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-22.md](https://github.com/Cyb3rWard0g/OSSEM/blob/master/data_dictionaries/windows/sysmon/event-22.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Applications and Services Logs |

2
Atomic_Threat_Coverage/Data_Needed/DN_0086_4720_user_account_was_created.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | A user account was created |
| **Logging Policy** | <ul><li>[LP0026_windows_audit_user_account_management](../Logging_Policies/LP0026_windows_audit_user_account_management.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0026_windows_audit_user_account_management](../Logging_Policies/LP_0026_windows_audit_user_account_management.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4720.md)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0087_5156_windows_filtering_platform_has_permitted_connection.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The Windows Filtering Platform has permitted a connection |
| **Logging Policy** | <ul><li>[LP0045_windows_audit_filtering_platform_connection](../Logging_Policies/LP0045_windows_audit_filtering_platform_connection.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0045_windows_audit_filtering_platform_connection](../Logging_Policies/LP_0045_windows_audit_filtering_platform_connection.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0088_4616_system_time_was_changed.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | The system time was changed |
| **Logging Policy** | <ul><li>[LP0046_windows_audit_security_state_change](../Logging_Policies/LP0046_windows_audit_security_state_change.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0046_windows_audit_security_state_change](../Logging_Policies/LP_0046_windows_audit_security_state_change.md)</li></ul> |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0096_linux_named_client_security_log.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Linux named (BIND) messages relating to client access and security |
| **Logging Policy** | <ul><li>[LP0034_linux_named_client_security_log](../Logging_Policies/LP0034_linux_named_client_security_log.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0034_linux_named_client_security_log](../Logging_Policies/LP_0034_linux_named_client_security_log.md)</li></ul> |
| **References** | <ul><li>[https://kb.isc.org/docs/aa-01526](https://kb.isc.org/docs/aa-01526)</li><li>[http://jhurani.com/linux/2013/02/12/named-disable-xfer.html](http://jhurani.com/linux/2013/02/12/named-disable-xfer.html)</li></ul> |
| **Platform** | Linux |
| **Type** | client_security_log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | DNS Query from BIND Server |
| **Logging Policy** | <ul><li>[LP0047_BIND_DNS_queries](../Logging_Policies/LP0047_BIND_DNS_queries.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0047_BIND_DNS_queries](../Logging_Policies/LP_0047_BIND_DNS_queries.md)</li></ul> |
| **References** | <ul><li>[None](None)</li></ul> |
| **Platform** | Linux |
| **Type** | queries log |

2
Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md
View File

@ -2,7 +2,7 @@
|:-------------------|:------------------|
| **Author** | @atc_project |
| **Description** | Log from Passive DNS |
| **Logging Policy** | <ul><li>[LP0048_Passive_DNS_logging](../Logging_Policies/LP0048_Passive_DNS_logging.md)</li></ul> |
| **Logging Policy** | <ul><li>[LP_0048_Passive_DNS_logging](../Logging_Policies/LP_0048_Passive_DNS_logging.md)</li></ul> |
| **References** | <ul><li>[None](None)</li></ul> |
| **Platform** | Linux |
| **Type** | queries log |

2
data/atc_data

@ -1 +1 @@
Subproject commit 83057f4488275c5d5e32aaa24fc21c0ce1a2667c
Subproject commit cebc3ae76f99639685ba0706301dc3a5e05c8779

59
data_needed/DN_0044_1000_application_crashed.yml
View File

@ -1,59 +0,0 @@
title: DN_0044_1000_application_crashed
description: >
This is a very generic error and it doesn't tell much about what caused it. Some applications may fail with this error when the system is left unstable by another faulty program.
loggingpolicy:
- none
references:
- https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html
category: OS Logs
platform: Windows
type: Windows Log
channel: Application
provider: Application Error
fields:
- EventID
- Hostname # redundant
- Computer
- FaultingApplicationName
- FaultingModuleName
- ExceptionCode
- FaultOffset
- FaultingProcessId
- FaultingApplicationStartTime
- FaultingApplicationPath
- FaultingModulePath
- ReportId
- FaultingPackageFullName
- FaultingPackage-relativeApplicationID
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-01T15:49:38.973342200Z" />
<EventRecordID>6724</EventRecordID>
<Channel>Application</Channel>
<Computer>WD0000.eu.windows.com</Computer>
<Security />
</System>
- <EventData>
<Data>IntelAudioService.exe</Data>
<Data>1.0.46.0</Data>
<Data>59afa72c</Data>
<Data>KERNELBASE.dll</Data>
<Data>10.0.17134.441</Data>
<Data>428de48c</Data>
<Data>e06d7363</Data>
<Data>000000000003a388</Data>
<Data>1240</Data>
<Data>01d49e823bbf0b3b</Data>
<Data>C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe</Data>
<Data>C:\WINDOWS\System32\KERNELBASE.dll</Data>
<Data>6220b181-a7a0-4c44-9046-d8ce090d3a86</Data>
<Data />
<Data />
</EventData>
</Event>

68
data_needed/DN_0045_1001_windows_error_reporting.yml
View File

@ -1,68 +0,0 @@
title: DN_0045_1001_windows_error_reporting
description: >
When application fails, the result is recorded as an informational event in the Application log by Windows Error Reporting as event 1001.
loggingpolicy:
- none
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11)
- https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1
category: OS Logs
platform: Windows
type: Windows Log
channel: Application
provider: Windows Error Reporting
fields:
- EventID
- Hostname # redundant
- Computer
- EventName
- Response
- CabId
- ProblemSignature
- AttachedFiles
- Thesefilesmaybeavailablehere
- AnalysisSymbol
- RecheckingForSolution
- ReportId
- ReportStatus
- HashedBucket
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-01-08T14:01:18.909425000Z" />
<EventRecordID>11279</EventRecordID>
<Channel>Application</Channel>
<Computer>WD00000.eu.windows.com</Computer>
<Security />
</System>
- <EventData>
<Data>2005798148961969216</Data>
<Data>5</Data>
<Data>StoreAgentScanForUpdatesFailure0</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>Update;</Data>
<Data>8024402c</Data>
<Data>16299</Data>
<Data>847</Data>
<Data>Windows.Desktop</Data>
<Data />
<Data />
<Data />
<Data />
<Data />
<Data>\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER81F.tmp.WERInternalMetadata.xml</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_ba86f388d190af6963dbd95b33715448fcb6fd5_00000000_27442451</Data>
<Data />
<Data>0</Data>
<Data>0885fc8a-5383-4c50-b209-7c570832b8bf</Data>
<Data>268435556</Data>
<Data>e7b725b96c0bab97abd606ca1003a440</Data>
</EventData>
</Event>