valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c556bbf7ea
atomic-threat-coverage/data_needed/DN_0005_7045_windows_service_insatalled.yml
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

51 lines
1.5 KiB
YAML
Raw Blame History

title: DN_0005_7045_windows_service_insatalled
description: >
A service was installed in the system
loggingpolicy:
- None
references:
- None
category: OS Logs
platform: Windows
type: Windows Log
channel: System
provider: Service Control Manager
fields:
- EventID
- Hostname # redundant
- Computer
- ProcessID
- ServiceName
- ImagePath
- ServiceFileName # redundant, inconsistent
- ServiceType
- StartType
- AccountName
- UserSid
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2017-07-02T15:48:56.256752900Z" />
<EventRecordID>762</EventRecordID>
<Correlation />
<Execution ProcessID="568" ThreadID="1792" />
<Channel>System</Channel>
<Computer>DESKTOP</Computer>
<Security UserID="S-1-5-21-2073602604-586167410-2329295167-1001" />
</System>
- <EventData>
<Data Name="ServiceName">sshd</Data>
<Data Name="ImagePath">C:\Program Files\OpenSSH\sshd.exe</Data>
<Data Name="ServiceType">user mode service</Data>
<Data Name="StartType">demand start</Data>
<Data Name="AccountName">LocalSystem</Data>
</EventData>
</Event>
Reference in New Issue View Git Blame Copy Permalink