Note - view this file in RAW form since asterisks get markdown'ed
View Template Name | Works With | Syntax |
---|---|---|
Microsoft Outlook - Only Email Folders | AutoDFIR | * AND NOT folder_name:(Journal OR Contacts OR Calendar OR Notes OR "Suggested Contacts" OR "RSS Feeds") |
Report Details | AutoDFIR | parser:evtxstats |
Privilege Escalation | Log2timeline | parser:selinux AND (/bin/sudo OR /bin/su) |
Privilege Escalation - Command Executed | Log2timeline | (parser:selinux AND (/bin/sudo OR /bin/su)) OR (reporter:sudo AND message:COMMAND) |
Shell Command History | Log2timeline | data_type:"shell:zsh:history" OR data_type:"shell:bash:history" |
SSH Activity | Log2timeline | audit_type:("CRED_ACQ" OR "USER_LOGIN" OR "USER_START" OR "USER_END") AND NOT message:(addr=? AND hostname=?) -"usr/sbin/crond" |
SSH - Brute Force Attemps | Log2timeline | reporter:sshd AND "more authentication failures" |
SSH - Failed Authentication | Log2timeline | reporter:sshd AND ("Failed password" OR "authentication failure") |
SSH - Successful Authentication | Log2timeline | reporter:sshd AND ("Accepted publickey" OR "Accepted password") |
SSH - Unknown Accounts | Log2timeline | reporter:sshd AND invalid user |
Windows Startup Persistence | Log2timeline | data_type:"windows:registry:appcompatcache" AND STARTUP |
Windows Event Logs - RDP Activity | AutoDFIR | (parser:evtxlogonparser AND logon_type:10) OR (data_type:event_log AND tag:"RDP") |
Windows Event Logs - Cleared | AutoDFIR, Log2timeline | (data_type:event_log AND eid:(104 OR 517 OR 1102)) OR (data_type:"windows:evtx:record" AND event_identifier:(104 OR 517 OR 1102)) |
Windows Event Logs - Enabled/Disabled | AutoDFIR | data_type:event_log AND eid:(612 OR 4719) |
Windows Event Logs - Explicit Credentials | AutoDFIR | data_type:event_log AND timestamp_desc:"Explicit Credentials" |
Windows Event Logs - Failed Logons | AutoDFIR | data_type:event_log AND timestamp_desc:"Logon Failed" AND NOT (source_hostname:"-" AND source_ip_address:"-" AND target_domain:"-" AND target_username:"-" AND username:"-" AND logon_type:"5" AND logon_process:"svchost.exe") |
Windows Event Logs - Windows FW: Rule added to exception list | AutoDFIR, Log2timeline | (data_type:event_log AND eid:2004) OR (data_type:"windows:evtx:record" AND event_identifier:2004) |
Windows Event Logs - Windows FW: Rule modified in exception list | AutoDFIR, Log2timeline | (data_type:event_log AND eid:2005) OR (data_type:"windows:evtx:record" AND event_identifier:2005) |
Windows Event Logs - Windows FW: Rule deleted from exception list | AutoDFIR, Log2timeline | (data_type:event_log AND eid:2005) OR (data_type:"windows:evtx:record" AND event_identifier:2005) |
Windows Event Logs - Kerberos Attacks | AutoDFIR | data_type:event_log AND eid:(540 OR 4624 OR 4634 OR 4672) AND (source_domain:. OR (exists:target_domain AND target_domain.length > 0)) |
Windows Event Logs - Logon Events | AutoDFIR, Log2timeline | event_identifier:(540 OR 4624) OR eid:(540 OR 4624) |
Windows FTP Logs | AutoDFIR, Log2timeline | ("Windows\System32\LogFiles" OR "inetpub\logs\LogFiles") AND FTPSVC AND ".log" |
Windows Web Server Root | AutoDFIR | data_type:registry AND value_name:PathWWWRoot |
Windows Web Logs | AutoDFIR, Log2timeline | ("Windows\System32\LogFiles" OR "inetpub\logs\LogFiles" OR "\LogFiles") AND (W3SVC OR HTTPERR) AND ".log" |