From d36128440741b59d00473f5b1a295313dec94109 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Wed, 4 Nov 2020 16:02:52 +0100 Subject: [PATCH] revert data naming scheme --- .../DN_0001_4688_windows_process_creation.md | 2 +- ...ndows_process_creation_with_commandline.md | 2 +- ..._0003_1_windows_sysmon_process_creation.md | 2 +- .../DN_0004_4624_windows_account_logon.md | 2 +- ...007_3_windows_sysmon_network_connection.md | 2 +- .../DN_0011_7_windows_sysmon_image_loaded.md | 2 +- ...DN_0014_10_windows_sysmon_ProcessAccess.md | 2 +- .../DN_0015_11_windows_sysmon_FileCreate.md | 2 +- .../DN_0020_17_windows_sysmon_PipeEvent.md | 2 +- .../DN_0021_18_windows_sysmon_PipeEvent.md | 2 +- .../DN_0022_19_windows_sysmon_WmiEvent.md | 2 +- .../DN_0023_20_windows_sysmon_WmiEvent.md | 2 +- .../DN_0024_21_windows_sysmon_WmiEvent.md | 2 +- ...s_directory_service_object_was_modified.md | 2 +- .../DN_0027_4738_user_account_was_changed.md | 2 +- ...ervices_restore_mode_admin_password_set.md | 2 +- ..._4661_handle_to_an_object_was_requested.md | 2 +- ...62_operation_was_performed_on_an_object.md | 2 +- ...work_share_object_was_accessed_detailed.md | 2 +- ..._5140_network_share_object_was_accessed.md | 2 +- ...36_4104_windows_powershell_script_block.md | 2 +- ...3_windows_powershell_executing_pipeline.md | 2 +- ...er_successfully_logged_on_to_a_computer.md | 2 +- .../Data_Needed/DN_0041_529_logon_failure.md | 2 +- ...2_675_kerberos_preauthentication_failed.md | 2 +- .../DN_0054_linux_auditd_execve.md | 2 +- ...N_0055_linux_auditd_read_access_to_file.md | 2 +- .../DN_0056_linux_auditd_syscall.md | 2 +- .../DN_0057_4625_account_failed_to_logon.md | 2 +- ..._4656_handle_to_an_object_was_requested.md | 2 +- ...N_0059_4657_registry_value_was_modified.md | 2 +- ...060_4658_handle_to_an_object_was_closed.md | 2 +- .../DN_0061_4660_object_was_deleted.md | 2 +- ...63_attempt_was_made_to_access_an_object.md | 2 +- ...697_service_was_installed_in_the_system.md | 2 +- ...DN_0064_4698_scheduled_task_was_created.md | 2 +- ...N_0065_4701_scheduled_task_was_disabled.md | 2 +- .../DN_0066_4704_user_right_was_assigned.md | 2 +- ..._added_to_security_enabled_global_group.md | 2 +- ...s_added_to_security_enabled_local_group.md | 2 +- ...ecurity_enabled_local_group_was_changed.md | 2 +- ...curity_enabled_global_group_was_changed.md | 2 +- ...ity_enabled_universal_group_was_changed.md | 2 +- ...d_to_a_security_enabled_universal_group.md | 2 +- ...765_sid_history_was_added_to_an_account.md | 2 +- ...to_add_sid_history_to_an_account_failed.md | 2 +- ...ros_authentication_ticket_was_requested.md | 2 +- ...9_kerberos_service_ticket_was_requested.md | 2 +- ...4771_kerberos_pre_authentication_failed.md | 2 +- ...validate_the_credentials_for_an_account.md | 2 +- .../DN_0082_8002_ntlm_server_blocked_audit.md | 2 +- .../DN_0085_22_windows_sysmon_DnsQuery.md | 2 +- .../DN_0086_4720_user_account_was_created.md | 2 +- ...ering_platform_has_permitted_connection.md | 2 +- .../DN_0088_4616_system_time_was_changed.md | 2 +- ...DN_0096_linux_named_client_security_log.md | 2 +- .../Data_Needed/DN_0099_Bind_DNS_query.md | 2 +- .../Data_Needed/DN_0100_Passive_DNS_log.md | 2 +- data/atc_data | 2 +- .../DN_0044_1000_application_crashed.yml | 59 ---------------- .../DN_0045_1001_windows_error_reporting.yml | 68 ------------------- 61 files changed, 59 insertions(+), 186 deletions(-) delete mode 100644 data_needed/DN_0044_1000_application_crashed.yml delete mode 100644 data_needed/DN_0045_1001_windows_error_reporting.yml diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md b/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md index a1e2e05..3553bd5 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0001_4688_windows_process_creation.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Windows process creation log, not including command line | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md b/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md index 5febde0..9ee7415 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Windows process creation log, including command line | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md b/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md index e5aa718..8af43fa 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0003_1_windows_sysmon_process_creation.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Windows process creation log, including command line | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md b/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md index 80bde72..a571663 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0004_4624_windows_account_logon.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | An account was successfully logged on | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md b/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md index ce968f4..8cc817d 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0007_3_windows_sysmon_network_connection.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | TCP/UDP connections made by a process | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md b/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md index 12af72c..8736cff 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0011_7_windows_sysmon_image_loaded.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | The image loaded event logs when a module is loaded in a specific process | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md b/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md index f7e0dc0..ca78aa5 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md b/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md index 81be977..0d8dca5 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md index c33d6fd..40a3fef 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0020_17_windows_sysmon_PipeEvent.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates when a named pipe is created. Malware often uses named pipes for interprocess communication | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md index 608f8d4..8ba3d5a 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0021_18_windows_sysmon_PipeEvent.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event logs when a named pipe connection is made between a client and a server | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md index 864f29b..6f45375 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0022_19_windows_sysmon_WmiEvent.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md index c415e13..020db5a 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0023_20_windows_sysmon_WmiEvent.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event logs the registration of WMI consumers, recording the consumer name, log, and destination | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md b/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md index 81fc9dc..6fdee57 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0024_21_windows_sysmon_WmiEvent.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | When a consumer binds to a filter, this event logs the consumer name and filter path | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md b/Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md index 2f25f98..7e57ded 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | A directory service object was modified | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md index c778489..85194ba 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0027_4738_user_account_was_changed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | User object is changed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md b/Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md index 1093f62..004c237 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0028_4794_directory_services_restore_mode_admin_password_set.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Directory Services Restore Mode (DSRM) administrator password is changed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md index 2d9dff8..48fce5b 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0029_4661_handle_to_an_object_was_requested.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | A handle was requested for either an Active Directory object or a Security Account Manager (SAM) object | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md b/Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md index 0212dc5..2a0721a 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | An operation was performed on an Active Directory object | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md index 5069c7c..885c910 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0032_5145_network_share_object_was_accessed_detailed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Network share object (file or folder) was accessed. Detailed log with AccessReason and RelativeTargetName | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md index 6b2e5bf..736db8b 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0033_5140_network_share_object_was_accessed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Network share object (file or folder) was accessed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0036_4104_windows_powershell_script_block.md b/Atomic_Threat_Coverage/Data_Needed/DN_0036_4104_windows_powershell_script_block.md index 0e75787..c8f8a7e 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0036_4104_windows_powershell_script_block.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0036_4104_windows_powershell_script_block.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event records script | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md b/Atomic_Threat_Coverage/Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md index 477a7e7..c0ad764 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0037_4103_windows_powershell_executing_pipeline.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event records pipeline execution, including variable initialization and command command invocations. | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0040_528_user_successfully_logged_on_to_a_computer.md b/Atomic_Threat_Coverage/Data_Needed/DN_0040_528_user_successfully_logged_on_to_a_computer.md index 2ef901e..b956b12 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0040_528_user_successfully_logged_on_to_a_computer.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0040_528_user_successfully_logged_on_to_a_computer.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | User successfully logged on to a computer | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0041_529_logon_failure.md b/Atomic_Threat_Coverage/Data_Needed/DN_0041_529_logon_failure.md index c4f1277..795d476 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0041_529_logon_failure.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0041_529_logon_failure.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Logon Failure - Unknown user name or bad password | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0042_675_kerberos_preauthentication_failed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0042_675_kerberos_preauthentication_failed.md index 529cc44..ab0c96e 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0042_675_kerberos_preauthentication_failed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0042_675_kerberos_preauthentication_failed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Kerberos pre-authentication failed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0054_linux_auditd_execve.md b/Atomic_Threat_Coverage/Data_Needed/DN_0054_linux_auditd_execve.md index e3eca9d..35cb300 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0054_linux_auditd_execve.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0054_linux_auditd_execve.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Linux auditd log of process (binary) execution (execeve syscall) with command line arguments | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Linux | | **Type** | EXECVE | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0055_linux_auditd_read_access_to_file.md b/Atomic_Threat_Coverage/Data_Needed/DN_0055_linux_auditd_read_access_to_file.md index d1d01f9..532f76d 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0055_linux_auditd_read_access_to_file.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0055_linux_auditd_read_access_to_file.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Linux auditd log of read access to file | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Linux | | **Type** | PATH | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0056_linux_auditd_syscall.md b/Atomic_Threat_Coverage/Data_Needed/DN_0056_linux_auditd_syscall.md index 2470af2..0673683 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0056_linux_auditd_syscall.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0056_linux_auditd_syscall.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Linux auditd log of specific system call (syscall) | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Linux | | **Type** | SYSCALL | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md b/Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md index 9fa4516..af89b83 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0057_4625_account_failed_to_logon.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | An account failed to log on | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md index 5c7bb85..3462c98 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0058_4656_handle_to_an_object_was_requested.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. If access was declined, a Failure event is generated. This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0059_4657_registry_value_was_modified.md b/Atomic_Threat_Coverage/Data_Needed/DN_0059_4657_registry_value_was_modified.md index c627c6f..c16072a 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0059_4657_registry_value_was_modified.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0059_4657_registry_value_was_modified.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates when a registry key value was modified. It doesn't generate when a registry key was modified. This event generates only if "Set Value" auditing is set in registry key’s SACL | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md index c4ce6a9..f0d2f06 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0060_4658_handle_to_an_object_was_closed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. This event generates only if Success auditing is enabled for Audit Handle Manipulation subcategory. Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0061_4660_object_was_deleted.md b/Atomic_Threat_Coverage/Data_Needed/DN_0061_4660_object_was_deleted.md index 266c2a4..1471402 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0061_4660_object_was_deleted.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0061_4660_object_was_deleted.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates when an object was deleted. The object could be a file system, kernel, or registry object. This event generates only if "Delete" auditing is set in object’s SACL. This event doesn’t contain the name of the deleted object (only the Handle ID). It is better to use "4663(S): An attempt was made to access an object" with DELETE access to track object deletion. The advantage of this event is that it’s generated only during real delete operations. In contrast, "4663(S): An attempt was made to access an object" also generates during other actions, such as object renaming | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md b/Atomic_Threat_Coverage/Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md index ce75b9a..bb62268 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0062_4663_attempt_was_made_to_access_an_object.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. This event generates only if object’s SACL has required ACE to handle specific access right use. The main difference with "4656: A handle to an object was requested." event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md b/Atomic_Threat_Coverage/Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md index 1f8ba9c..77857f9 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0063_4697_service_was_installed_in_the_system.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | A service was installed in the system | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0064_4698_scheduled_task_was_created.md b/Atomic_Threat_Coverage/Data_Needed/DN_0064_4698_scheduled_task_was_created.md index a01010a..3758e9d 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0064_4698_scheduled_task_was_created.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0064_4698_scheduled_task_was_created.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time a new scheduled task is created | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0065_4701_scheduled_task_was_disabled.md b/Atomic_Threat_Coverage/Data_Needed/DN_0065_4701_scheduled_task_was_disabled.md index b6abe82..3ba7d92 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0065_4701_scheduled_task_was_disabled.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0065_4701_scheduled_task_was_disabled.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time a scheduled task is disabled | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0066_4704_user_right_was_assigned.md b/Atomic_Threat_Coverage/Data_Needed/DN_0066_4704_user_right_was_assigned.md index 6ef078c..a2e194d 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0066_4704_user_right_was_assigned.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0066_4704_user_right_was_assigned.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time local user right policy is changed and user right was assigned to an account. You will see unique event for every user | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0068_4728_member_was_added_to_security_enabled_global_group.md b/Atomic_Threat_Coverage/Data_Needed/DN_0068_4728_member_was_added_to_security_enabled_global_group.md index 0cef370..cb09951 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0068_4728_member_was_added_to_security_enabled_global_group.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0068_4728_member_was_added_to_security_enabled_global_group.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Member was added to a security-enabled global group | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0069_4732_member_was_added_to_security_enabled_local_group.md b/Atomic_Threat_Coverage/Data_Needed/DN_0069_4732_member_was_added_to_security_enabled_local_group.md index 6d8e58b..8043a51 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0069_4732_member_was_added_to_security_enabled_local_group.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0069_4732_member_was_added_to_security_enabled_local_group.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time a new member was added to a security-enabled (security) local group. This event generates on domain controllers, member servers, and workstations | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0070_4735_security_enabled_local_group_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0070_4735_security_enabled_local_group_was_changed.md index fa81d32..c1956f1 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0070_4735_security_enabled_local_group_was_changed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0070_4735_security_enabled_local_group_was_changed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time a security-enabled (security) local group is changed. This event generates on domain controllers, member servers, and workstations | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0071_4737_security_enabled_global_group_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0071_4737_security_enabled_global_group_was_changed.md index ba65971..e799cca 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0071_4737_security_enabled_global_group_was_changed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0071_4737_security_enabled_global_group_was_changed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Security-enabled global group was changed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0072_4755_security_enabled_universal_group_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0072_4755_security_enabled_universal_group_was_changed.md index e0804c5..241cc23 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0072_4755_security_enabled_universal_group_was_changed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0072_4755_security_enabled_universal_group_was_changed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Security-enabled universal group was changed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0073_4756_member_was_added_to_a_security_enabled_universal_group.md b/Atomic_Threat_Coverage/Data_Needed/DN_0073_4756_member_was_added_to_a_security_enabled_universal_group.md index 9c96e11..f859b38 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0073_4756_member_was_added_to_a_security_enabled_universal_group.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0073_4756_member_was_added_to_a_security_enabled_universal_group.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Member was added to a security-enabled universal group | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0074_4765_sid_history_was_added_to_an_account.md b/Atomic_Threat_Coverage/Data_Needed/DN_0074_4765_sid_history_was_added_to_an_account.md index 91a73e8..0be9097 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0074_4765_sid_history_was_added_to_an_account.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0074_4765_sid_history_was_added_to_an_account.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | SID History was added to an account | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md index d3d72aa..aae0433 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | An attempt to add SID History to an account failed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md index c37319a..d44c87e 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0076_4768_kerberos_authentication_ticket_was_requested.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). This event generates only on domain controllers. If TGT issue fails then you will see Failure event with Result Code field not equal to "0x0" | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md b/Atomic_Threat_Coverage/Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md index 3354abd..bef505e 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0077_4769_kerberos_service_ticket_was_requested.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request. This event generates only on domain controllers. If TGS issue fails then you will see Failure event with Failure Code field not equal to "0x0" | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md index 45deb1e..9ec5aa9 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0078_4771_kerberos_pre_authentication_failed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user’s password has expired, or the wrong password was provided. This event generates only on domain controllers | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md b/Atomic_Threat_Coverage/Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md index ddf44e2..ea36d92 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates every time that a credential validation occurs using NTLM authentication. This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0082_8002_ntlm_server_blocked_audit.md b/Atomic_Threat_Coverage/Data_Needed/DN_0082_8002_ntlm_server_blocked_audit.md index e033daf..fa74042 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0082_8002_ntlm_server_blocked_audit.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0082_8002_ntlm_server_blocked_audit.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. Actually it's just event about NTLM authentication, it doesn't necessary supposed to be blocked. Blocked NTLM auth is the same provider but Event ID 4002 | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0085_22_windows_sysmon_DnsQuery.md b/Atomic_Threat_Coverage/Data_Needed/DN_0085_22_windows_sysmon_DnsQuery.md index a58f169..3a874fc 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0085_22_windows_sysmon_DnsQuery.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0085_22_windows_sysmon_DnsQuery.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | This event generates when a process executes a DNS query, whether the result is successful or fails, cached or not | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Applications and Services Logs | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0086_4720_user_account_was_created.md b/Atomic_Threat_Coverage/Data_Needed/DN_0086_4720_user_account_was_created.md index d15b6ea..4880676 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0086_4720_user_account_was_created.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0086_4720_user_account_was_created.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | A user account was created | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0087_5156_windows_filtering_platform_has_permitted_connection.md b/Atomic_Threat_Coverage/Data_Needed/DN_0087_5156_windows_filtering_platform_has_permitted_connection.md index 71dd4bd..a921b80 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0087_5156_windows_filtering_platform_has_permitted_connection.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0087_5156_windows_filtering_platform_has_permitted_connection.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | The Windows Filtering Platform has permitted a connection | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0088_4616_system_time_was_changed.md b/Atomic_Threat_Coverage/Data_Needed/DN_0088_4616_system_time_was_changed.md index f955590..2adaa54 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0088_4616_system_time_was_changed.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0088_4616_system_time_was_changed.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | The system time was changed | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Windows | | **Type** | Windows Log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0096_linux_named_client_security_log.md b/Atomic_Threat_Coverage/Data_Needed/DN_0096_linux_named_client_security_log.md index be5416b..fd78a46 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0096_linux_named_client_security_log.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0096_linux_named_client_security_log.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Linux named (BIND) messages relating to client access and security | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Linux | | **Type** | client_security_log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md b/Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md index b70d91e..c532370 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0099_Bind_DNS_query.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | DNS Query from BIND Server | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Linux | | **Type** | queries log | diff --git a/Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md b/Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md index c1ce46e..797e7b0 100644 --- a/Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md +++ b/Atomic_Threat_Coverage/Data_Needed/DN_0100_Passive_DNS_log.md @@ -2,7 +2,7 @@ |:-------------------|:------------------| | **Author** | @atc_project | | **Description** | Log from Passive DNS | -| **Logging Policy** | | +| **Logging Policy** | | | **References** | | | **Platform** | Linux | | **Type** | queries log | diff --git a/data/atc_data b/data/atc_data index 83057f4..cebc3ae 160000 --- a/data/atc_data +++ b/data/atc_data @@ -1 +1 @@ -Subproject commit 83057f4488275c5d5e32aaa24fc21c0ce1a2667c +Subproject commit cebc3ae76f99639685ba0706301dc3a5e05c8779 diff --git a/data_needed/DN_0044_1000_application_crashed.yml b/data_needed/DN_0044_1000_application_crashed.yml deleted file mode 100644 index 3951166..0000000 --- a/data_needed/DN_0044_1000_application_crashed.yml +++ /dev/null @@ -1,59 +0,0 @@ -title: DN_0044_1000_application_crashed -description: > - This is a very generic error and it doesn't tell much about what caused it. Some applications may fail with this error when the system is left unstable by another faulty program. -loggingpolicy: - - none -references: - - https://www.morgantechspace.com/2014/12/event-id-1000-application-error.html -category: OS Logs -platform: Windows -type: Windows Log -channel: Application -provider: Application Error -fields: - - EventID - - Hostname # redundant - - Computer - - FaultingApplicationName - - FaultingModuleName - - ExceptionCode - - FaultOffset - - FaultingProcessId - - FaultingApplicationStartTime - - FaultingApplicationPath - - FaultingModulePath - - ReportId - - FaultingPackageFullName - - FaultingPackage-relativeApplicationID -sample: | - - - - - - 1000 - 2 - 100 - 0x80000000000000 - - 6724 - Application - WD0000.eu.windows.com - - - - - IntelAudioService.exe - 1.0.46.0 - 59afa72c - KERNELBASE.dll - 10.0.17134.441 - 428de48c - e06d7363 - 000000000003a388 - 1240 - 01d49e823bbf0b3b - C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe - C:\WINDOWS\System32\KERNELBASE.dll - 6220b181-a7a0-4c44-9046-d8ce090d3a86 - - - - diff --git a/data_needed/DN_0045_1001_windows_error_reporting.yml b/data_needed/DN_0045_1001_windows_error_reporting.yml deleted file mode 100644 index b4e0bc9..0000000 --- a/data_needed/DN_0045_1001_windows_error_reporting.yml +++ /dev/null @@ -1,68 +0,0 @@ -title: DN_0045_1001_windows_error_reporting -description: > - When application fails, the result is recorded as an informational event in the Application log by Windows Error Reporting as event 1001. -loggingpolicy: - - none -references: - - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754364(v=ws.11) - - https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx?Sort=MostRecent&PageIndex=1 -category: OS Logs -platform: Windows -type: Windows Log -channel: Application -provider: Windows Error Reporting -fields: - - EventID - - Hostname # redundant - - Computer - - EventName - - Response - - CabId - - ProblemSignature - - AttachedFiles - - Thesefilesmaybeavailablehere - - AnalysisSymbol - - RecheckingForSolution - - ReportId - - ReportStatus - - HashedBucket -sample: | - - - - - - 1001 - 4 - 0 - 0x80000000000000 - - 11279 - Application - WD00000.eu.windows.com - - - - - 2005798148961969216 - 5 - StoreAgentScanForUpdatesFailure0 - Not available - 0 - Update; - 8024402c - 16299 - 847 - Windows.Desktop - - - - - - \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER81F.tmp.WERInternalMetadata.xml - C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Update;_ba86f388d190af6963dbd95b33715448fcb6fd5_00000000_27442451 - - 0 - 0885fc8a-5383-4c50-b209-7c570832b8bf - 268435556 - e7b725b96c0bab97abd606ca1003a440 - - - \ No newline at end of file