99b640adaa
* Feature/call error message struct#66 (#69) * change way to use write trait #66 * change call error message struct #66 * erase finished TODO #66 * erase comment in error message format test #66 * resolve conflict #66 * Feature/call error message struct#66 (#71) * change ERROR writeln struct #66 * add Kerberoasting & AS-REP Roasting Rule #91 * fix rule and add alias #91
26 lines
1.0 KiB
Plaintext
26 lines
1.0 KiB
Plaintext
alias,event_key
|
|
EventID,Event.System.EventID
|
|
Channel,Event.System.Channel
|
|
CommandLine,Event.EventData.CommandLine
|
|
ParentProcessName,Event.EventData.ParentProcessName
|
|
Signed,Event.EventData.Signed
|
|
ProcessName,Event.EventData.ProcessName
|
|
AccessMask,Event.EventData.AccessMask
|
|
TargetUserName,Event.EventData.TargetUserName
|
|
param1,Event.EventData.param1
|
|
param2,Event.EventData.param2
|
|
ServiceName,Event.EventData.ServiceName
|
|
ImagePath,Event.EventData.ImagePath
|
|
ContextInfo,Event.EventData.ContextInfo
|
|
Path,Event.EventData.Path
|
|
ScriptBlockText,Event.EventData.ScriptBlockText
|
|
MemberName,Event.EventData.MemberName
|
|
MemberSid,Event.EventData.MemberSid
|
|
TargetSid,Event.EventData.TargetSid
|
|
LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName
|
|
LogFileClearedSubjectUserName,Event.UserData.SubjectUserName
|
|
SubjectUserName,Event.EventData.SubjectUserName
|
|
SubjectUserSid,Event.EventData.SubjectUserSid
|
|
DomainName,Event.EventData.SubjectDomainName
|
|
TicketEncryptionType,Event.EventData.TicketEncryptionType
|
|
PreAuthType,Event.EventData.PreAuthType |