valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
151d351e76
atomic-threat-coverage/data_needed/DN_0061_4660_object_was_deleted.yml
yugoslavskiy 69dbd5bd88 new dn and lp
2019-04-22 05:18:31 +02:00

66 lines
2.5 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: DN_0061_4660_object_was_deleted
description: >
This event generates when an object was deleted. The object could be a
file system, kernel, or registry object. This event generates only if
"Delete" auditing is set in objects SACL. This event doesnt contain
the name of the deleted object (only the Handle ID). It is better to
use "4663(S): An attempt was made to access an object" with DELETE
access to track object deletion. The advantage of this event is that
its generated only during real delete operations. In contrast,
"4663(S): An attempt was made to access an object" also generates
during other actions, such as object renaming
loggingpolicy:
- LP_0102_windows_audit_file_system
- LP_0039_windows_audit_kernel_object
- LP_0103_windows_audit_registry
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4660.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
- ObjectServer
- HandleId
- ProcessId
- ProcessName
- TransactionId
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Reference in New Issue View Git Blame Copy Permalink