- HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
- HKLM\System\CurrentControlSet\Control\WMI\Security\08dd09cd-9050-5a49-02f8-46fd443360a8
- HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences\0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", "" | |
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLs" | |
SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime" | |
Software\\Policies\\Microsoft Services\\AdmPwd", "AdmPwdEnabled" | |
Software\\Policies\\Microsoft Services\\AdmPwd", "AdminAccountName" | |
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordComplexity" | |
Software\\Policies\\Microsoft Services\\AdmPwd", "PasswordLength" | |
Software\\Policies\\Microsoft Services\\AdmPwd", "PwdExpirationProtectionEnabled" | |
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer" | |
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param utcValue string { | |
default: utcNow() | |
metadata: { | |
description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used' | |
} | |
} | |
param workspaceName string { | |
metadata: { | |
description: 'Name for the Log Analytics workspace used to aggregate data.' | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource azureSentinel 'Microsoft.OperationsManagement/solutions@2015-11-01-preview' = { | |
name: concat('SecurityInsights(',workspace.name,')') // Implicit Dependency | |
location: 'eastus' | |
properties: { | |
workspaceResourceId: workspace.id | |
} | |
plan: { | |
name: concat('SecurityInsights(',workspace.name,')') // Implicit Dependency | |
product: 'OMSGallery/SecurityInsights' | |
publisher: 'Microsoft' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
output workspaceNameOutput string = uniqueWorkspace | |
output workspaceIdOutput string = reference(workspace.id, workspace.apiVersion).customerId | |
output workspacekeyOutput string = listKeys(workspace.id, workspace.apiVersion).primarySharedKey |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param utcValue string { | |
default: utcNow() | |
metadata: { | |
description: 'Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used' | |
} | |
} | |
param workspaceName string { | |
metadata: { | |
description: 'Name for the Log Analytics workspace used to aggregate data.' | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource workspace 'Microsoft.OperationalInsights/workspaces@2020-03-01-preview' = { | |
name: 'UniqueWorkspaceName' // must be globally unique | |
location: 'eastus' | |
properties: { | |
sku: { | |
name: 'PerGB2018' | |
} | |
retentionInDays: 30 | |
features: { | |
immediatePurgeDataOn30Days: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Net; | |
using System.Linq; | |
using System.Text; | |
using System.Text.RegularExpressions; | |
using System.IO.Pipes; | |
using System.Reflection; | |
using System.Collections.Generic; | |
using System.Security.Cryptography; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks" | |
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" | |
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" | |
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\" | |
\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" | |
\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" | |
\AppData\\Roaming\\gcloud\\credentials.db" |