What users are logging into machines?
Windows.Sys.AllUsers
SELECT Name, UUID, Mtime, count()
FROM source(artifact="Windows.Sys.AllUsers")
WHERE Name
name: Generic.Search.PDF | |
description: | | |
This artifact searches PDF files for a keyword. | |
parameters: | |
- name: PDFGlob | |
default: /tmp/*.pdf | |
description: A glob to find PDF files | |
- name: YaraRule | |
type: yara |
remappings: | |
- type: permissions | |
permissions: | |
- COLLECT_CLIENT | |
- FILESYSTEM_READ | |
- FILESYSTEM_WRITE | |
- READ_RESULTS | |
- MACHINE_STATE | |
- SERVER_ADMIN | |
- type: impersonation |
### Extended Attribute | |
# 1. Download https://github.com/jschicht/EaTools to C:\PerfLogs (this step was run previously if you ran our setup script) | |
https://github.com/jschicht/EaTools/raw/master/EaInject64.exe | |
https://github.com/jschicht/EaTools/raw/master/EaQuery64.exe | |
# 2. Add EA to file | |
copy C:\Windows\System32\calc.exe C:\PerfLogs\calc.exe | |
C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\calc.exe /Container:C:\PerfLogs\just_a_file.txt /Mode:0 /Identifier:NOTHINGTOSEEHERE |
### Extended Attribute | |
# 1. Download https://github.com/jschicht/EaTools to C:\PerfLogs (this step was run previously if you ran our setup script) | |
https://github.com/jschicht/EaTools/raw/master/EaInject64.exe | |
https://github.com/jschicht/EaTools/raw/master/EaQuery64.exe | |
# 2. Add EA to file | |
copy C:\Windows\System32\calc.exe C:\PerfLogs\calc.exe | |
C:\PerfLogs\EaInject64.exe /Payload:C:\PerfLogs\calc.exe /Container:C:\PerfLogs\just_a_file.txt /Mode:0 /Identifier:NOTHINGTOSEEHERE |
remappings: | |
- type: permissions | |
permissions: | |
- COLLECT_CLIENT | |
- FILESYSTEM_READ | |
- FILESYSTEM_WRITE | |
- READ_RESULTS | |
- MACHINE_STATE | |
- SERVER_ADMIN | |
- type: impersonation |
Sysmon Field | ECS Field | |
---|---|---|
System.EventID | maps to event.type = "start" | |
EventData.Image | strip directory part and store in `process.name` | |
EventData.OriginalFileName | stored in `process.pe.original_file_name` | |
EventData.CommandLine | is split into array and stored in `process.args` |
SELECT "C:/" + FullPath AS FullPath, | |
InUse,FileName,FileSize, | |
dict( | |
Created0x10 = Created0x10, | |
LastModified0x10 = LastModified0x10, | |
LastRecordChange0x10 = LastRecordChange0x10, | |
LastAccess0x10 = LastAccess0x10 | |
) as SI, | |
dict( |
name: Custom.Windows.Audit.SCA | |
sources: | |
- query: | | |
LET results <= SELECT * FROM chain( | |
id0_0={ | |
SELECT 14500 AS ID, | |
'''Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' ''' AS Title, | |
get(field='''LimitBlankPasswordUse''') AS ActualValue, | |
'''1''' AS ExpectedValue, |
name: Custom.Windows.ETW.DNSQueries | |
type: CLIENT_EVENT | |
sources: | |
- precondition: | |
SELECT OS From info() where OS = 'windows' | |
query: | | |
SELECT System.TimeStamp AS Timestamp, | |
EventData.QueryName AS Query, |