CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

timeline event info update

Browse Source
This commit is contained in:
Tanaka Zakku
2021-12-23 12:31:04 +09:00
parent 7813fd6ac6
commit b85ccd5af3
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
config/timeline_event_info.txt
View File

@@ -1,8 +1,11 @@
eventid,event_title,detect_flg,comment
1,Sysmon process creation,Yes,
59,Bits Job Creation,Yes,
1100,Event logging service was shut down,,Good for finding signs of anti-forensics but most likely false positives when the system shuts down.
1101,Audit Events Have Been Dropped By The Transport,,
1102,Event log was cleared,Yes,Should not happen normally so this is a good event to look out for.
1107,Event processing error,,
4103,Powershell execution pipeline,Yes,
4608,Windows started up,,
4610,An authentication package has been loaded by the Local Security Authority,,
4611,A trusted logon process has been registered with the Local Security Authority,,
@@ -19,6 +22,8 @@ eventid,event_title,detect_flg,comment
4696,Primary token assigned to process,,
4692,Backup of data protection master key was attempted,,
4697,Service installed,,
4768,Kerberos TGT request,Yes,
4769,Kerberos service ticket request,Yes,
4717,System security access was granted to an account,,
4719,System audit policy was changed,,
4720,User account created,Yes,
@@ -34,7 +39,7 @@ eventid,event_title,detect_flg,comment
4727,Security global group was changed,,
4738,User accounts properties changed,,
4739,Domain policy changed,,
4776,NTLM logon to local user,,
4776,NTLM logon to local user,Yes,
4778,RDP session reconnected or user switched back through Fast User Switching,,
4779,RDP session disconnected or user switched away through Fast User Switching,,
4797,Attempt to query the account for a blank password,,
@@ -61,13 +66,15 @@ eventid,event_title,detect_flg,comment
5058,Key file operation,,
5059,Key migration operation,,
5061,Cryptographic operation,,
5140,Network share object was accessed,,
5140,Network share access,Yes,
5142,A network share object was added,,
5144,A network share object was deleted,,
5145,Network shared file access,Yes,
5379,Credential Manager credentials were read,,
5381,Vault credentials were read,,
5382,Vault credentials were read,,
5478,IPsec Services started,,
5889,An object was deleted to the COM+ Catalog,,
5890,An object was added to the COM+ Catalog,,
8001,Wireless access point connect,Yes,
unregistered_event_id,Unknown,,