Skip to content

Instantly share code, notes, and snippets.

@linuxmalaysia

linuxmalaysia/logstash-windows-events.txt

Last active March 15, 2024 13:51
Show Gist options
  • Save linuxmalaysia/b053942d7b397b02faa9846c03498c9f to your computer and use it in GitHub Desktop.
Save linuxmalaysia/b053942d7b397b02faa9846c03498c9f to your computer and use it in GitHub Desktop.
Download ZIP
logstash windows events from winlogbeat. Translate common Event ID's and Translate common Event ID's to Quadrants
Raw
logstash-windows-events.txt
input {
beats {
id => "01-beats-input"
port => 55044
tags => "winlogbeat"
}
}
# https://github.com/siemonster/logstash/blob/master/10-windows-events-filter.conf
# https://github.com/siemonster/logstash
filter {
if "winlogbeat" in [tags] {
mutate {
add_tag => [ "beats" ]
}
# Translate common Event ID's
translate {
field => "event_id"
destination => "EventDesc"
override => true
dictionary => [ "4625", "4625 An account failed to log on",
"4648", "4648 A logon was attempted using explicit credentials",
"4656", "4656 A handle to an object was requested",
"4662", "4662 An operation was performed on an object",
"4663", "4663 An attempt was made to access an object",
"4672", "4672 Special privileges assigned to new logon",
"4673", "4673 A privileged service was called",
"4690", "4690 An attempt was made to duplicate a handle to an object",
"4720", "4720 A user account was created",
"4722", "4722 A user account was enabled",
"4724", "4724 An attempt was made to reset an accounts password",
"4725", "4725 A user account was disabled",
"4727", "4727 A security-enabled global group was created",
"4728", "4728 A member was added to a security-enabled global group",
"4729", "4729 A member was removed from a security-enabled global group",
"4735", "4735 A security-enabled local group was changed",
"4737", "4737 A security-enabled global group was changed",
"4738", "4738 A user account was changed",
"4740", "4740 A user account was locked out",
"4754", "4754 A security-enabled universal group was created",
"4756", "4756 A member was added to a security-enabled universal group",
"4757", "4757 A member was removed to a security-enabled universal group",
"4767", "4767 A user account was unlocked",
"4768", "4768 A Kerberos authentication ticket (TGT) was requested",
"4769", "4769 A Kerberos service ticket was requested",
"4770", "4770 A Kerberos service ticket was renewed",
"4771", "4771 Kerberos pre-authentication failed",
"4780", "4780 The ACL was set on accounts which are members of administrators groups",
"4907", "4907 Auditing settings on object were changed",
"4932", "4932 Synchronization of a replica of an Active Directory naming context has begun",
"4933", "4933 Synchronization of a replica of an Active Directory naming context has ended",
"5136", "5136 A directory service object was modified",
"5145", "5145 A network share object was checked to see whether client can be granted desired access",
"5152", "5152 The Windows Filtering Platform blocked a packet",
"5157", "5157 The Windows Filtering Platform has blocked a connection",
"5159", "5159 The Windows Filtering Platform has blocked a bind to a local port",
"6272", "6272 Network Policy Server granted access to a user",
"6273", "6273 Network Policy Server denied access to a user",
"6274", "6274 Network Policy Server discarded the request for a user",
"6278", "6278 Network Policy Server granted full access to a user because the host met the defined health policy"
]
}
#####
## Translate common Event ID's to Quadrants
## Comments and feedback
## https://docs.google.com/document/d/1UqTe3Svsy5_hJUgG4AY6xYJe9AEI8Xksy45KIsdHaz8/edit?usp=sharing
#
translate {
field => "event_id"
destination => "quadrant"
override => true
dictionary => [ "4625", "Urgent And Important",
"4648", "Important And Not Urgent",
"4656", "Not Important And Not Urgent",
"4662", "Not Important And Not Urgent",
"4663", "Urgent And Not Important",
"4672", "Urgent And Not Important",
"4673", "Urgent And Not Important",
"4690", "Important And Not Urgent",
"4720", "Important And Not Urgent",
"4722", "Important And Not Urgent",
"4724", "Urgent And Important",
"4725", "Important And Not Urgent",
"4727", "Important And Not Urgent",
"4728", "Urgent And Important",
"4729", "Urgent And Important",
"4735", "Important And Not Urgent",
"4737", "Important And Not Urgent",
"4738", "Important And Not Urgent",
"4740", "Urgent And Important",
"4754", "Urgent And Not Important",
"4756", "Urgent And Important",
"4757", "Urgent And Important",
"4767", "Important And Not Urgent",
"4768", "Not Important And Not Urgent",
"4769", "Not Important And Not Urgent",
"4770", "Important And Not Urgent",
"4771", "Urgent And Important",
"4780", "Important And Not Urgent",
"4907", "Not Important And Not Urgent",
"4932", "Not Important And Not Urgent",
"4933", "Not Important And Not Urgent",
"5136", "Not Important And Not Urgent",
"5145", "Not Important And Not Urgent",
"5152", "Not Important And Not Urgent",
"5157", "Not Important And Not Urgent",
"5159", "Important And Not Urgent",
"6272", "Important And Not Urgent",
"6273", "Important And Not Urgent",
"6274", "Not Important And Not Urgent",
"6278", "Urgent And Not Important"
]
}
#
#
}
if [EventDesc] {
mutate {
add_tag => [ "common_event_id" ,"windows_correlation" ]
}
}
# For Powershell events, extract the command details and create alert field
if [source_name] == "PowerShell" {
grok {
patterns_dir => "/etc/logstash/powershell-patterns"
match => { "message" => "%{PWRSHELL:scriptname}" }
add_field => { "PwrShellAlert" => "true" }
add_tag => [ "power_shell_alert" , "windows_correlation" ]
}
}
#Identify machine accounts
if [event_data.TargetUserName] =~ /\$/ {
mutate {
add_field => { "machine" => "true" }
}
} else {
mutate {
add_field => { "machine" => "false" }
}
}
# Extract username from email
#if [TargetUserName] =~ /\@/ {
# grok {
# match => ["TargetUserName", "%{WORD:TargetUserName}"]
# overwrite => ["TargetUserName"]
# }
# }
#Add field for admin users
#if [EventID] == 4728 or [EventID] == 4756 {
# if [TargetUserName] == "Admin Group 1" or [TargetUserName] == "Admin Group 2" {
# mutate {
# add_field => { "admin" => "true" }
# }
# }
# }
if [event_id] == 4771 or [event_id] == 4625 and [machine] == "false" {
mutate {
add_tag => [ "logon_failure" ]
}
}
#
if [event_id] == 4648 {
mutate {
add_tag => [ "logon_success" ]
}
}
#
}
###
output {
if "winlogbeat" in [tags] {
elasticsearch {
id => "90-beats-output"
hosts => ["localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
##end if
}
## Create index template by using winlogbeat template.
## https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html
if "windows_correlation" in [tags] {
elasticsearch {
hosts => ["localhost:8083","elk2:9200","elk3:9200"]
index => "windows-correlation-v6-%{+YYYY.MM.dd}"
}
}
#
}
## for version 6 using logstash
## filebeat setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
###
### Content for patterns_dir => "/etc/logstash/powershell-patterns"
### https://github.com/siemonster/logstash/blob/master/powershell-patterns
PWRSHELL \b((?i)Add-Exfiltration|Add-Persistence|Add-ScrnSaveBackdoorBase64ToString|Check-VM|Copy-VSS|Create-MultipleSessions|DNS_TXT_Pwnage|Discover-PSInterestingServices|Discover-PSMSExchangeServers|Discover-PSMSSQLServers|DllInjection|Invoke-Mimikatz|Do-Exfiltration|Download-Execute-PS|Download_Execute|Enable-DuplicateToken |EncodedCommand|Execute-Command-MSSQL|Execute-DNSTXT-Code|Execute-OnTime|Find-AVSignature|Find-PSServiceAccounts|Get-ApplicationHost|Get-GPPPassword|Get-Information|Get-KerberosPolicy|Get-Keystrokes|Get-LsaSecret|Get-PSADForestInfo|Get-PSADForestKRBTGTInfo|Get-PassHashes|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-ServiceEXEPerms|Get-ServicePerms|Get-ServiceUnquoted|Get-TimedScreenshot|Get-UnattendedInstallFiles|Get-VaultCredential|Get-Webconfig|Gupt-Backdoor|HTTP-Backdoor|Invoke--Shellcode|Invoke-ADSBackdoor|Invoke-AllChecks|Invoke-BruteForce|Invoke-CallbackIEX|Invoke-CreateCertificate|Invoke-CredentialInjection|Invoke-CredentialsPhish|Invo-Decode|Invoke-DllEncode|Invoke-Encode|Invoke-FindDLLHijack|Invoke-FindPathHijack|Invoke-MassCommand|Invoke-MassMimikatz|Invoke-MassSearch|Invoke-MassTemplate|Invoke-MassTokens|Invoke-MimikatzWDigestDngrade|Invoke-Mimikatz|Invoke-NetworkRelay|Invoke-NinjaCopy|Invoke-PSGcat|Invoke-PSInject|Invoke-PoshRatHttp|Invoke-PoshRatHttps|Invoke-PowerShellIcmp|Invoke-PowerShellTcp|Invoke-PowerShellUdp|Invoke-werShellWmi|Invoke-PsGcatAgent|Invoke-ServiceCMD|Invoke-ServiceDisable|Invoke-ServiceEnable|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceUserAdd|Invoke-Shellcode|Invoke-ShellcodeMSIL|Invoke-TonManipulation|Mimikatz|New-ElevatedPersistenceOption|Out-CHM|Out-Excel|Out-HTA|Out-Java|Out-Minidump|Out-Shortcut|Out-Word|Parse_Keys|Payload|Port-Scan|ReflectivePEInjection|Remove-Persistence|Remove-shRat|Remove-Update|Restore-ServiceEXE|Run-EXEonRemote|Set-ExecutionPolicy|Set-MasterBootRecord|StringtoBase64|TexttoEXE|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Write-UserAddMSI|Wre-UserAddServiceBinary|powercat|Get-ADReplAccount|Set-SamAccountPasswordHash|Get-ADReplBackupKey|Get-ADDBAccount|Get-BootKey|Set-BootKey|Get-ADDBBackupKey|Add-ADDBSidHistory|Set-ADDBPrimaryGroup|Get-ABDomainController|Set-ADDBDomainController|Get-ADDBSchemaAttribute|Remove-ADDBObject|ConvertTo-NTHash|ConvertTo-LMHash|ConvertTo-OrgIdHash|ConvertFrom-GPPrefPassword|ConvertTo-GPPrefPassword|ConvertFr-UnattendXmlPassword|ConvertTo-UnicodePassword|ConvertFrom-ADManagedPasswordBlob|)\b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment