Skip to content

Instantly share code, notes, and snippets.

@hiddenillusion

hiddenillusion/timesketch_views.md

Last active June 27, 2020 10:15
Show Gist options
  • Save hiddenillusion/118fa90e1effbdae5ec87f870b4f0e25 to your computer and use it in GitHub Desktop.
Save hiddenillusion/118fa90e1effbdae5ec87f870b4f0e25 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
timesketch_views.md

Note - view this file in RAW form since asterisks get markdown'ed

View Template Name Works With Syntax
Microsoft Outlook - Only Email Folders AutoDFIR * AND NOT folder_name:(Journal OR Contacts OR Calendar OR Notes OR "Suggested Contacts" OR "RSS Feeds")
Report Details AutoDFIR parser:evtxstats
Privilege Escalation Log2timeline parser:selinux AND (/bin/sudo OR /bin/su)
Privilege Escalation - Command Executed Log2timeline (parser:selinux AND (/bin/sudo OR /bin/su)) OR (reporter:sudo AND message:COMMAND)
Shell Command History Log2timeline data_type:"shell:zsh:history" OR data_type:"shell:bash:history"
SSH Activity Log2timeline audit_type:("CRED_ACQ" OR "USER_LOGIN" OR "USER_START" OR "USER_END") AND NOT message:(addr=? AND hostname=?) -"usr/sbin/crond"
SSH - Brute Force Attemps Log2timeline reporter:sshd AND "more authentication failures"
SSH - Failed Authentication Log2timeline reporter:sshd AND ("Failed password" OR "authentication failure")
SSH - Successful Authentication Log2timeline reporter:sshd AND ("Accepted publickey" OR "Accepted password")
SSH - Unknown Accounts Log2timeline reporter:sshd AND invalid user
Windows Startup Persistence Log2timeline data_type:"windows:registry:appcompatcache" AND STARTUP
Windows Event Logs - RDP Activity AutoDFIR (parser:evtxlogonparser AND logon_type:10) OR (data_type:event_log AND tag:"RDP")
Windows Event Logs - Cleared AutoDFIR, Log2timeline (data_type:event_log AND eid:(104 OR 517 OR 1102)) OR (data_type:"windows:evtx:record" AND event_identifier:(104 OR 517 OR 1102))
Windows Event Logs - Enabled/Disabled AutoDFIR data_type:event_log AND eid:(612 OR 4719)
Windows Event Logs - Explicit Credentials AutoDFIR data_type:event_log AND timestamp_desc:"Explicit Credentials"
Windows Event Logs - Failed Logons AutoDFIR data_type:event_log AND timestamp_desc:"Logon Failed" AND NOT (source_hostname:"-" AND source_ip_address:"-" AND target_domain:"-" AND target_username:"-" AND username:"-" AND logon_type:"5" AND logon_process:"svchost.exe")
Windows Event Logs - Windows FW: Rule added to exception list AutoDFIR, Log2timeline (data_type:event_log AND eid:2004) OR (data_type:"windows:evtx:record" AND event_identifier:2004)
Windows Event Logs - Windows FW: Rule modified in exception list AutoDFIR, Log2timeline (data_type:event_log AND eid:2005) OR (data_type:"windows:evtx:record" AND event_identifier:2005)
Windows Event Logs - Windows FW: Rule deleted from exception list AutoDFIR, Log2timeline (data_type:event_log AND eid:2005) OR (data_type:"windows:evtx:record" AND event_identifier:2005)
Windows Event Logs - Kerberos Attacks AutoDFIR data_type:event_log AND eid:(540 OR 4624 OR 4634 OR 4672) AND (source_domain:. OR (exists:target_domain AND target_domain.length > 0))
Windows Event Logs - Logon Events AutoDFIR, Log2timeline event_identifier:(540 OR 4624) OR eid:(540 OR 4624)
Windows FTP Logs AutoDFIR, Log2timeline ("Windows\System32\LogFiles" OR "inetpub\logs\LogFiles") AND FTPSVC AND ".log"
Windows Web Server Root AutoDFIR data_type:registry AND value_name:PathWWWRoot
Windows Web Logs AutoDFIR, Log2timeline ("Windows\System32\LogFiles" OR "inetpub\logs\LogFiles" OR "\LogFiles") AND (W3SVC OR HTTPERR) AND ".log"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment