From b85ccd5af349961719e00a43f07395c3680344a2 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 23 Dec 2021 12:31:04 +0900 Subject: [PATCH] timeline event info update --- config/timeline_event_info.txt | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/config/timeline_event_info.txt b/config/timeline_event_info.txt index d1e1e642..74fe361c 100644 --- a/config/timeline_event_info.txt +++ b/config/timeline_event_info.txt @@ -1,8 +1,11 @@ eventid,event_title,detect_flg,comment +1,Sysmon process creation,Yes, +59,Bits Job Creation,Yes, 1100,Event logging service was shut down,,Good for finding signs of anti-forensics but most likely false positives when the system shuts down. 1101,Audit Events Have Been Dropped By The Transport,, 1102,Event log was cleared,Yes,Should not happen normally so this is a good event to look out for. 1107,Event processing error,, +4103,Powershell execution pipeline,Yes, 4608,Windows started up,, 4610,An authentication package has been loaded by the Local Security Authority,, 4611,A trusted logon process has been registered with the Local Security Authority,, @@ -19,6 +22,8 @@ eventid,event_title,detect_flg,comment 4696,Primary token assigned to process,, 4692,Backup of data protection master key was attempted,, 4697,Service installed,, +4768,Kerberos TGT request,Yes, +4769,Kerberos service ticket request,Yes, 4717,System security access was granted to an account,, 4719,System audit policy was changed,, 4720,User account created,Yes, @@ -34,7 +39,7 @@ eventid,event_title,detect_flg,comment 4727,Security global group was changed,, 4738,User accounts properties changed,, 4739,Domain policy changed,, -4776,NTLM logon to local user,, +4776,NTLM logon to local user,Yes, 4778,RDP session reconnected or user switched back through Fast User Switching,, 4779,RDP session disconnected or user switched away through Fast User Switching,, 4797,Attempt to query the account for a blank password,, @@ -61,13 +66,15 @@ eventid,event_title,detect_flg,comment 5058,Key file operation,, 5059,Key migration operation,, 5061,Cryptographic operation,, -5140,Network share object was accessed,, +5140,Network share access,Yes, 5142,A network share object was added,, 5144,A network share object was deleted,, +5145,Network shared file access,Yes, 5379,Credential Manager credentials were read,, 5381,Vault credentials were read,, 5382,Vault credentials were read,, 5478,IPsec Services started,, 5889,An object was deleted to the COM+ Catalog,, 5890,An object was added to the COM+ Catalog,, +8001,Wireless access point connect,Yes, unregistered_event_id,Unknown,,