From fa9531a615b44fa670c63c8dc0268254834e415b Mon Sep 17 00:00:00 2001 From: DustInDark Date: Tue, 14 Dec 2021 19:17:51 +0900 Subject: [PATCH 1/5] added eventkeys #274 --- config/eventkey_alias.txt | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 3188c4b9..f74a5428 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -147,3 +147,31 @@ keywords,Event.System.Keywords param1,Event.EventData.param1 param2,Event.EventData.param2 service,Event.EventData.Service +CallerProcessName +CertThumbprint +ClassName +DestAddress +ErrorCode +EventLog +FilePath +Filename +NewTemplateContent +NewUacValue +New_Value +OldUacValue +ProcessId +ProviderName +Provider_Name +SearchFilter +ServerName +ServiceStartType +ServiceType +Source_Name +StartAddress +State +TargetServerName +TemplateContent +Value +WMIcommand +provider_Name +sha1 \ No newline at end of file From ba1beafdd021283cacbe012e9e558d2b643d8e7a Mon Sep 17 00:00:00 2001 From: DustInDark Date: Tue, 14 Dec 2021 19:19:57 +0900 Subject: [PATCH 2/5] removed duplicated eventkeys #274 --- config/eventkey_alias.txt | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index f74a5428..0af4c8f6 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -79,7 +79,6 @@ ObjectServer,Event.EventData.ObjectServer ObjectType,Event.EventData.ObjectType ObjectValueName,Event.EventData.ObjectValueName Origin,Event.EventData.Origin -OriginalFileName,Event.EventData.OriginalFileName OriginalFilename,Event.EventData.OriginalFileName ParentCommandLine,Event.EventData.ParentCommandLine ParentImage,Event.EventData.ParentImage @@ -143,10 +142,8 @@ User,Event.EventData.User UserName,Event.EventData.UserName Workstation,Event.EventData.Workstation WorkstationName,Event.EventData.WorkstationName -keywords,Event.System.Keywords param1,Event.EventData.param1 param2,Event.EventData.param2 -service,Event.EventData.Service CallerProcessName CertThumbprint ClassName From c6d54ce7b473774f83f7f51bcad4989b084baf3e Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 15 Dec 2021 01:08:25 +0900 Subject: [PATCH 3/5] adjust 12/12 SIGMA rules #274 --- config/eventkey_alias.txt | 54 +++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 0af4c8f6..a5abf230 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -144,31 +144,29 @@ Workstation,Event.EventData.Workstation WorkstationName,Event.EventData.WorkstationName param1,Event.EventData.param1 param2,Event.EventData.param2 -CallerProcessName -CertThumbprint -ClassName -DestAddress -ErrorCode -EventLog -FilePath -Filename -NewTemplateContent -NewUacValue -New_Value -OldUacValue -ProcessId -ProviderName -Provider_Name -SearchFilter -ServerName -ServiceStartType -ServiceType -Source_Name -StartAddress -State -TargetServerName -TemplateContent -Value -WMIcommand -provider_Name -sha1 \ No newline at end of file +CallerProcessName,Event.EventData.CallerProcessName +CertThumbprint,Event.EventData.CertThumbprint +ClassName,Event.EventData.ClassName +DestAddress,Event.EventData.DestAddress +ErrorCode,Event.EventData.ErrorCode +FilePath,Event.EventData.FilePath +Filename,Event.EventData.Filename +NewTemplateContent, Event.EventData.NewTemplateContent +NewUacValue,Event.EventData.NewUacValue +New_Value,Event.EventData.New Value +OldUacValue,Event.EventData.OldUacValue +ProcessId,Event.EventData.ProcessId +ProviderName,Event.System.Provider_Name +Provider_Name,Event.System.Provider_Name +SearchFilter,Event.System.SearchFilter +ServerName,Event.System.ServerName +ServiceStartType,Event.EventData.ServiceStartType +ServiceType,Event.EventData.ServiceType +Source_Name,Event.EventData.Source Name +StartAddress,Event.EventData.StartAddress +State,Event.EventData.State +TargetServerName,Event.EventData.TargetServerName +TemplateContent,Event.EventData.TemplateContent +Value, Event.EventData.Value +provider_Name,Event.EventData.Provider_Name +sha1,Event.EventData.Hashes_sha1 \ No newline at end of file From 99dbb662b77633c8d9dd5c8eb0e2b89c493ee238 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 17 Dec 2021 13:39:59 +0900 Subject: [PATCH 4/5] =?UTF-8?q?alias=E3=81=AE=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config/eventkey_alias.txt | 349 +++++++++++++++++++------------------- 1 file changed, 178 insertions(+), 171 deletions(-) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index a5abf230..7b3b19b6 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -1,172 +1,179 @@ -AccessList,Event.EventData.AccessList -AccessMask,Event.EventData.AccessMask -Accesses,Event.EventData.Accesses -AccountName,Event.EventData.AccountName -Account_Name,Event.EventData.Account_Name -AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo -AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName -AttributeValue,Event.EventData.AttributeValue -AuditPolicyChanges,Event.EventData.AuditPolicyChanges -AuditSourceName,Event.EventData.AuditSourceName -AuthenticationPackageName,Event.EventData.AuthenticationPackageName -CallTrace,Event.EventData.CallTrace -Caller_Process_Name,Event.EventData.Caller_Process_Name -CallingProcessName,Event.EventData.CallingProcessName -Channel,Event.System.Channel -Client_Address,Event.EventData.Client_Address -CommandLine,Event.EventData.CommandLine -Company,Event.EventData.Company -Computer,Event.System.Computer -ComputerName,Event.System.Computer -ContextInfo,Event.EventData.ContextInfo -CurrentDirectory,Event.EventData.CurrentDirectory -Description,Event.EventData.Description -DestPort,Event.EventData.DestPort -Destination,Event.EventData.Destination -DestinationAddress,Event.EventData.DestinationAddress -DestinationHostname,Event.EventData.DestinationHostname -DestinationIp,Event.EventData.DestinationIp -DestinationIsIpv6,Event.EventData.DestinationIsIpv6 -DestinationPort,Event.EventData.DestinationPort -Details,Event.EventData.Details -DetectionSource,Event.EventData.DetectionSource -Device,Event.EventData.Device -DeviceClassName,Event.EventData.DeviceClassName -DeviceDescription,Event.EventData.DeviceDescription -DeviceName,Event.EventData.DeviceName -DomainName,Event.EventData.SubjectDomainName -EngineVersion,Event.EventData.EngineVersion -EventID,Event.System.EventID -EventType,Event.EventData.EventType -FailureCode,Event.EventData.FailureCode -FileVersion,Event.EventData.FileVersion -GrantedAccess,Event.EventData.GrantedAccess -GroupName,Event.EventData.GroupName -GroupSid,Event.EventData.GroupSid -Hashes,Event.EventData.Hashes -HiveName,Event.EventData.HiveName -HostApplication,Event.EventData.HostApplication -HostName,Event.EventData.HostName -HostVersion,Event.EventData.HostVersion -Image,Event.EventData.Image -ImageLoaded,Event.EventData.ImageLoaded -ImagePath,Event.EventData.ImagePath -Imphash,Event.EventData.Hashes -Initiated,Event.EventData.Initiated -IntegrityLevel,Event.EventData.IntegrityLevel -IpAddress,Event.EventData.IpAddress -IpPort,Event.EventData.IpPort -JobTitle,Event.EventData.name -KeyLength,Event.EventData.KeyLength -Keywords,Event.System.Keywords -LDAPDisplayName,Event.EventData.LDAPDisplayName -LayerRTID,Event.EventData.LayerRTID -Level,Event.System.Level -LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName -LogonId,Event.EventData.LogonId -LogonProcessName,Event.EventData.LogonProcessName -LogonType,Event.EventData.LogonType -Logon_Account,Event.EventData.Logon_Account -MachineName,Event.EventData.MachineName -MemberName,Event.EventData.MemberName -MemberSid,Event.EventData.MemberSid -Message,Event.EventData -NewName,Event.EventData.NewName -NewValue,Event.EventData.NewValue -ObjectClass,Event.EventData.ObjectClass -ObjectName,Event.EventData.ObjectName -ObjectServer,Event.EventData.ObjectServer -ObjectType,Event.EventData.ObjectType -ObjectValueName,Event.EventData.ObjectValueName -Origin,Event.EventData.Origin -OriginalFilename,Event.EventData.OriginalFileName -ParentCommandLine,Event.EventData.ParentCommandLine -ParentImage,Event.EventData.ParentImage -ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel -ParentProcessName,Event.EventData.ParentProcessName -ParentUser,Event.EventData.ParentUser -PasswordLastSet,Event.EventData.PasswordLastSet -Path,Event.EventData.Path -Payload,Event.EventData.Payload -PipeName,Event.EventData.PipeName -PreAuthType,Event.EventData.PreAuthType -PrivilegeList,Event.EventData.PrivilegeList -ProcessCommandLine,Event.EventData.ProcessCommandLine -ProcessName,Event.EventData.ProcessName -Product,Event.EventData.Product -Properties,Event.EventData.Properties -QNAME,Event.EventData.QNAME -QueryName,Event.EventData.QueryName -QueryResults,Event.EventData.QueryResults -QueryStatus,Event.EventData.QueryStatus -RelativeTargetName,Event.EventData.RelativeTargetName -SAMAccountName,Event.EventData.SamAccountName -ScriptBlockText,Event.EventData.ScriptBlockText -Service,Event.EventData.Service -ServiceFileName,Event.EventData.ServiceFileName -ServiceName,Event.EventData.ServiceName -ServicePrincipalNames,Event.EventData.ServicePrincipalNames -ShareName,Event.EventData.ShareName -SidHistory,Event.EventData.SidHistory -Signature,Event.EventData.Signature -Signed,Event.EventData.Signed -Source,Event.System.Provider_Name -SourceAddress,Event.EventData.SourceAddress -SourceImage,Event.EventData.SourceImage -SourceNetworkAddress,Event.EventData.SourceNetworkAddress -SourcePort,Event.EventData.SourcePort -Source_Network_Address,Event.EventData.Source_Network_Address -Source_WorkStation,Event.EventData.Source_WorkStation -StartFunction,Event.EventData.StartFunction -StartModule,Event.EventData.StartModule -Status,Event.EventData.Status -SubStatus,Event.EventData.SubStatus -SubjectDomainName,Event.EventData.SubjectDomainName -SubjectLogonId,Event.EventData.SubjectLogonId -SubjectUserName,Event.EventData.SubjectUserName -SubjectUserSid,Event.EventData.SubjectUserSid -TargetDomainName,Event.EventData.TargetDomainName -TargetFilename,Event.EventData.TargetFilename -TargetImage,Event.EventData.TargetImage -TargetLogonId,Event.EventData.TargetLogonId -TargetName,Event.EventData.TargetServerName -TargetObject,Event.EventData.TargetObject -TargetProcessAddress,Event.EventData.TargetProcessAddress -TargetSid,Event.EventData.TargetSid -TargetUserName,Event.EventData.TargetUserName -TaskName,Event.EventData.TaskName -TicketEncryptionType,Event.EventData.TicketEncryptionType -TicketOptions,Event.EventData.TicketOptions -Url,Event.EventData.url -User,Event.EventData.User -UserName,Event.EventData.UserName -Workstation,Event.EventData.Workstation -WorkstationName,Event.EventData.WorkstationName -param1,Event.EventData.param1 -param2,Event.EventData.param2 -CallerProcessName,Event.EventData.CallerProcessName -CertThumbprint,Event.EventData.CertThumbprint -ClassName,Event.EventData.ClassName -DestAddress,Event.EventData.DestAddress -ErrorCode,Event.EventData.ErrorCode -FilePath,Event.EventData.FilePath -Filename,Event.EventData.Filename -NewTemplateContent, Event.EventData.NewTemplateContent -NewUacValue,Event.EventData.NewUacValue -New_Value,Event.EventData.New Value -OldUacValue,Event.EventData.OldUacValue -ProcessId,Event.EventData.ProcessId -ProviderName,Event.System.Provider_Name -Provider_Name,Event.System.Provider_Name -SearchFilter,Event.System.SearchFilter -ServerName,Event.System.ServerName -ServiceStartType,Event.EventData.ServiceStartType -ServiceType,Event.EventData.ServiceType -Source_Name,Event.EventData.Source Name -StartAddress,Event.EventData.StartAddress -State,Event.EventData.State -TargetServerName,Event.EventData.TargetServerName -TemplateContent,Event.EventData.TemplateContent -Value, Event.EventData.Value -provider_Name,Event.EventData.Provider_Name +AccessList,Event.EventData.AccessList +AccessMask,Event.EventData.AccessMask +Accesses,Event.EventData.Accesses +AccountName,Event.EventData.AccountName +Account_Name,Event.EventData.Account_Name +AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo +AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName +AttributeValue,Event.EventData.AttributeValue +AuditPolicyChanges,Event.EventData.AuditPolicyChanges +AuditSourceName,Event.EventData.AuditSourceName +AuthenticationPackageName,Event.EventData.AuthenticationPackageName +CallTrace,Event.EventData.CallTrace +CallerProcessName,Event.EventData.CallerProcessName +Caller_Process_Name,Event.EventData.Caller_Process_Name +CallingProcessName,Event.EventData.CallingProcessName +CategoryName,Event.EventData.Category Name +CertThumbprint,Event.EventData.CertThumbprint +Channel,Event.System.Channel +ClassName,Event.EventData.ClassName +Client_Address,Event.EventData.Client_Address +CommandLine,Event.EventData.CommandLine +Company,Event.EventData.Company +Computer,Event.System.Computer +ComputerName,Event.System.Computer +ContextInfo,Event.EventData.ContextInfo +CurrentDirectory,Event.EventData.CurrentDirectory +Description,Event.EventData.Description +DestAddress,Event.EventData.DestAddress +DestPort,Event.EventData.DestPort +Destination,Event.EventData.Destination +DestinationAddress,Event.EventData.DestinationAddress +DestinationHostname,Event.EventData.DestinationHostname +DestinationIp,Event.EventData.DestinationIp +DestinationIsIpv6,Event.EventData.DestinationIsIpv6 +DestinationPort,Event.EventData.DestinationPort +Details,Event.EventData.Details +DetectionSource,Event.EventData.DetectionSource +DetectionUser,Event.EventData.Detection User +Device,Event.EventData.Device +DeviceClassName,Event.EventData.DeviceClassName +DeviceDescription,Event.EventData.DeviceDescription +DeviceName,Event.EventData.DeviceName +DomainName,Event.EventData.SubjectDomainName +EngineVersion,Event.EventData.EngineVersion +ErrorCode,Event.EventData.ErrorCode +EventID,Event.System.EventID +EventType,Event.EventData.EventType +FailureCode,Event.EventData.FailureCode +FilePath,Event.EventData.FilePath +FileVersion,Event.EventData.FileVersion +Filename,Event.EventData.Filename +GrantedAccess,Event.EventData.GrantedAccess +GroupName,Event.EventData.GroupName +GroupSid,Event.EventData.GroupSid +Hashes,Event.EventData.Hashes +HiveName,Event.EventData.HiveName +HostApplication,Event.EventData.HostApplication +HostName,Event.EventData.HostName +HostVersion,Event.EventData.HostVersion +Image,Event.EventData.Image +ImageLoaded,Event.EventData.ImageLoaded +ImagePath,Event.EventData.ImagePath +Imphash,Event.EventData.Hashes +Initiated,Event.EventData.Initiated +IntegrityLevel,Event.EventData.IntegrityLevel +IpAddress,Event.EventData.IpAddress +IpPort,Event.EventData.IpPort +JobTitle,Event.EventData.name +KeyLength,Event.EventData.KeyLength +Keywords,Event.System.Keywords +LDAPDisplayName,Event.EventData.LDAPDisplayName +LayerRTID,Event.EventData.LayerRTID +Level,Event.System.Level +LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName +LogonId,Event.EventData.LogonId +LogonProcessName,Event.EventData.LogonProcessName +LogonType,Event.EventData.LogonType +Logon_Account,Event.EventData.Logon_Account +MachineName,Event.EventData.MachineName +MemberName,Event.EventData.MemberName +MemberSid,Event.EventData.MemberSid +Message,Event.EventData +NewName,Event.EventData.NewName +NewTemplateContent, Event.EventData.NewTemplateContent +NewUacValue,Event.EventData.NewUacValue +NewValue,Event.EventData.NewValue +New_Value,Event.EventData.New Value +ObjectClass,Event.EventData.ObjectClass +ObjectName,Event.EventData.ObjectName +ObjectServer,Event.EventData.ObjectServer +ObjectType,Event.EventData.ObjectType +ObjectValueName,Event.EventData.ObjectValueName +OldUacValue,Event.EventData.OldUacValue +Origin,Event.EventData.Origin +OriginalFilename,Event.EventData.OriginalFileName +ParentCommandLine,Event.EventData.ParentCommandLine +ParentImage,Event.EventData.ParentImage +ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel +ParentProcessName,Event.EventData.ParentProcessName +ParentUser,Event.EventData.ParentUser +PasswordLastSet,Event.EventData.PasswordLastSet +Path,Event.EventData.Path +Payload,Event.EventData.Payload +PipeName,Event.EventData.PipeName +PreAuthType,Event.EventData.PreAuthType +PrivilegeList,Event.EventData.PrivilegeList +ProcessCommandLine,Event.EventData.ProcessCommandLine +ProcessId,Event.EventData.ProcessId +ProcessName,Event.EventData.ProcessName +Product,Event.EventData.Product +Properties,Event.EventData.Properties +ProviderName,Event.System.Provider_Name +Provider_Name,Event.System.Provider_Name +QNAME,Event.EventData.QNAME +QueryName,Event.EventData.QueryName +QueryResults,Event.EventData.QueryResults +QueryStatus,Event.EventData.QueryStatus +RelativeTargetName,Event.EventData.RelativeTargetName +RuleName,Event.EventData.RuleName +SAMAccountName,Event.EventData.SamAccountName +ScriptBlockText,Event.EventData.ScriptBlockText +SearchFilter,Event.System.SearchFilter +ServerName,Event.System.ServerName +Service,Event.EventData.Service +ServiceFileName,Event.EventData.ServiceFileName +ServiceName,Event.EventData.ServiceName +ServicePrincipalNames,Event.EventData.ServicePrincipalNames +ServiceStartType,Event.EventData.ServiceStartType +ServiceType,Event.EventData.ServiceType +SeverityName,Event.EventData.Severity Name +ShareLocalPath,Event.EventData.ShareLocalPath +ShareName,Event.EventData.ShareName +SidHistory,Event.EventData.SidHistory +Signature,Event.EventData.Signature +Signed,Event.EventData.Signed +Source,Event.System.Provider_Name +SourceAddress,Event.EventData.SourceAddress +SourceImage,Event.EventData.SourceImage +SourceNetworkAddress,Event.EventData.SourceNetworkAddress +SourcePort,Event.EventData.SourcePort +Source_Name,Event.EventData.Source Name +Source_Network_Address,Event.EventData.Source_Network_Address +Source_WorkStation,Event.EventData.Source_WorkStation +StartAddress,Event.EventData.StartAddress +StartFunction,Event.EventData.StartFunction +StartModule,Event.EventData.StartModule +State,Event.EventData.State +Status,Event.EventData.Status +SubStatus,Event.EventData.SubStatus +SubjectDomainName,Event.EventData.SubjectDomainName +SubjectLogonId,Event.EventData.SubjectLogonId +SubjectUserName,Event.EventData.SubjectUserName +SubjectUserSid,Event.EventData.SubjectUserSid +TargetDomainName,Event.EventData.TargetDomainName +TargetFilename,Event.EventData.TargetFilename +TargetImage,Event.EventData.TargetImage +TargetLogonId,Event.EventData.TargetLogonId +TargetName,Event.EventData.TargetServerName +TargetObject,Event.EventData.TargetObject +TargetProcessAddress,Event.EventData.TargetProcessAddress +TargetServerName,Event.EventData.TargetServerName +TargetSid,Event.EventData.TargetSid +TargetUserName,Event.EventData.TargetUserName +TaskName,Event.EventData.TaskName +TemplateContent,Event.EventData.TemplateContent +ThreatName,Event.EventData.Threat Name +TicketEncryptionType,Event.EventData.TicketEncryptionType +TicketOptions,Event.EventData.TicketOptions +Url,Event.EventData.url +User,Event.EventData.User +UserName,Event.EventData.UserName +Value, Event.EventData.Value +WindowsDefenderProcessName,Event.EventData.Process Name +Workstation,Event.EventData.Workstation +WorkstationName,Event.EventData.WorkstationName +param1,Event.EventData.param1 +param2,Event.EventData.param2 +provider_Name,Event.EventData.Provider_Name sha1,Event.EventData.Hashes_sha1 \ No newline at end of file From 8e682aa1e58e8911951973d90f95c1801a2bccf6 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 18 Dec 2021 09:26:27 +0900 Subject: [PATCH 5/5] TargetInfo alias added --- config/eventkey_alias.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt index 7b3b19b6..ae5913e4 100644 --- a/config/eventkey_alias.txt +++ b/config/eventkey_alias.txt @@ -153,6 +153,7 @@ SubjectUserName,Event.EventData.SubjectUserName SubjectUserSid,Event.EventData.SubjectUserSid TargetDomainName,Event.EventData.TargetDomainName TargetFilename,Event.EventData.TargetFilename +TargetInfo,Event.EventData.TargetInfo TargetImage,Event.EventData.TargetImage TargetLogonId,Event.EventData.TargetLogonId TargetName,Event.EventData.TargetServerName