Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
80 commits
Select commit Hold shift + click to select a range
f98b3d9
Добавлены модульные тесты для правила (RDP_Tunneling)
shadow2033 Jul 27, 2023
a52fe44
Добавлены модульные тесты для правила (RDP_Tunneling_via_SSH_5156)
shadow2033 Jul 27, 2023
1533d64
Добавлены модульные тесты для правила (Chrome_firefox_opera_cred_read)
shadow2033 Jul 27, 2023
b14976a
Расширил поля данных которые мы ожидаем для правила (Credentials_Mini…
shadow2033 Jul 27, 2023
41cfcfd
Добавлены модульные тесты для правила (DCSync)
shadow2033 Jul 27, 2023
14f6eab
Добавлены модульные тесты для правила (Dump_lsass_via_process_access)
shadow2033 Jul 27, 2023
40948d7
Добавлены модульные тесты для правила (KeePass_CredDump)
shadow2033 Jul 27, 2023
19ad9a8
расширил поля данных которые мы ожидаем для правила (Keepass_Key_Dump…
shadow2033 Jul 27, 2023
112eb86
Добавлены модульные тест для правила (Kerberos_pwd_spraying)
shadow2033 Jul 29, 2023
f6774e0
Добавлен модульный тест для правила (LSASS_Dump_Create)
shadow2033 Jul 29, 2023
1eba465
Добавлены модульные тесты для правила (Mimikatz)
shadow2033 Jul 29, 2023
d184328
Удалил повторяющиеся тесты, расширил поля данных которые мы ожидаем д…
shadow2033 Jul 29, 2023
6ab4993
Добавлен модульный тест для правила (Phishing_windows_credentials_pow…
shadow2033 Jul 29, 2023
8f87f1b
Добавлены модульные тесты для правила (PPL_Bypass_via_PPLDump_Tool)
shadow2033 Jul 29, 2023
1b21958
Добавлены модульные тесты для правила (Remote_registry_access)
shadow2033 Jul 29, 2023
467a7ec
Добавлен модульный тест для правила (Change_powershell_policy_registry)
shadow2033 Jul 31, 2023
f9e306a
Добавлен модульный тест, расширил поля данных которые мы ожидаем для …
shadow2033 Jul 31, 2023
6937ce3
Расширил поля данных которые мы ожидаем для правила (DCShadow_Attack)
shadow2033 Jul 31, 2023
7f683b1
Добавлен модульный тест для правила (Detect_Fake_ComputerAccount)
shadow2033 Jul 31, 2023
1827988
Добавлен модульный тест для правила (Detect_hiding_files_via_attrib_c…
shadow2033 Jul 31, 2023
bd44631
Расширил поля данных которые мы ожидаем для правила (Detect_lolbin_pc…
shadow2033 Jul 31, 2023
c25f538
Добавлен модульный тест для правила (ImageLoad_from_Network_Share_to_…
shadow2033 Jul 31, 2023
ee693bc
Добавлены модульные тесты для правила (Portproxy_netsh)
shadow2033 Jul 31, 2023
2544e5f
Добавлены модульные тесты для правила (RDP_settings_tampering)
shadow2033 Jul 31, 2023
3f12eab
Добавлен модульный тест для правила (ReverseShell_created_via_PEInjec…
shadow2033 Jul 31, 2023
4cb1f6e
Добавлен модульный тест для правила (Subrule_ParentPid_Spoofing)
shadow2033 Jul 31, 2023
7e794fb
Расширил поля данных которые мы ожидаем для правила (Suspend_Process)
shadow2033 Jul 31, 2023
bd71b62
Добавлен модульный тест для правила (Suspicious_Explorer_Injection)
shadow2033 Jul 31, 2023
2e5488c
Добавлен модульный тест для правила (Bloodhound)
shadow2033 Jul 31, 2023
ea42aec
Добавлены модульные тесты для правила (Enumeration_Users_In_Groups)
shadow2033 Jul 31, 2023
f7d7c52
Добавлены модульные тесты для правила (Local_Groups_Enumeration_Disco…
shadow2033 Jul 31, 2023
7e76d8d
Расширил поля данных которые мы ожидаем для правила (Detect_execution…
shadow2033 Aug 1, 2023
8d87173
Добавлены модульные тесты для правила (Schtasks_Commandline)
shadow2033 Aug 1, 2023
3705a30
Добавлен модульный тест для правила (Start_process_as_vshadow_child)
shadow2033 Aug 1, 2023
1c6a5e7
Добавлены модульные тесты для правила (VSSVC_service_state_changed)
shadow2033 Aug 1, 2023
efa885f
Добавлен модульный тест для правила (XP_Cmdshell_Usage)
shadow2033 Aug 1, 2023
a0b9b20
Добавлены модульные тесты для правила (ProxyNotShell:)
shadow2033 Aug 1, 2023
1b9ab9c
Удалены повторяющиеся тесты, расширил поля данных которые мы ожидаем …
shadow2033 Aug 1, 2023
1261745
Добавлены модульные тесты для правила (Change_wmi_subscription)
shadow2033 Aug 1, 2023
22be1ea
Добавлен модульный тест для правила (Create_hidden_local_account)
shadow2033 Aug 1, 2023
9a58add
Добавлены модульные тесты для правила (Create_persist_via_Hidden_Run_…
shadow2033 Aug 1, 2023
5d0ebad
Добавлены модульные тесты для правила (Create_persist_via_WinlogonShell)
shadow2033 Aug 1, 2023
40d52d9
Добавлены модульные тесты для правила (DCSync_prepare_Add_replicatati…
shadow2033 Aug 1, 2023
d3bded7
Добавлен модульный тест, расширил поля данных которые мы ожидаем для …
shadow2033 Aug 1, 2023
233a21f
Добавлены модульные тесты для правила (Use_persist_Start_process_via_…
shadow2033 Aug 1, 2023
07d2947
Добавлены модульные тесты для правила (XP_Cmdshell_Enable)
shadow2033 Aug 1, 2023
676676e
Добавлены модульные тесты для правила ( CreateProcessAsUser_Impersona…
shadow2033 Aug 2, 2023
59a4d1e
Расширил поля данных которые мы ожидаем для правила (Detect_Pass_the_…
shadow2033 Aug 2, 2023
b4f6950
Добавлены модульные тесты для правила ( Named_Pipe_Impersonation_Priv…
shadow2033 Aug 2, 2023
faf81f8
Добавлен модульный тест для правила (Potential_Privileged_Escalation_…
shadow2033 Aug 2, 2023
e3deb0f
Добавлен модульный тесты для правила (sAMAccountName_Spoofing)
shadow2033 Aug 2, 2023
ea3438a
Удалил повторяющиеся модульные тесты, расширил поля данных которые мы…
shadow2033 Aug 2, 2023
6063aa6
Добавлен модульный тесты, расширил поля данных которые мы ожидаем для…
shadow2033 Aug 2, 2023
ce7ec20
Расширил поля данных которые мы ожидаем для правила (Unquoted_Serv…
shadow2033 Aug 2, 2023
33972d6
Merge branch 'feature/add_Change_powershell_policy_registry_unit_test'
shadow2033 Aug 15, 2023
fdeea8a
Merge branch 'feature/add_Change_wmi_subscription_unit_test'
shadow2033 Aug 15, 2023
5a251fe
Merge branch 'feature/add_Chrome_firefox_opera_cred_read_unit_test'
shadow2033 Aug 15, 2023
ef69097
Merge branch 'feature/add_Clearing_eventlog_unit_test'
shadow2033 Aug 15, 2023
c7168e3
Merge branch 'feature/add_CreateProcessAsUser_Impersonation_unit_test'
shadow2033 Aug 15, 2023
032263f
Merge branch 'feature/add_Create_hidden_local_account_unit_test'
shadow2033 Aug 15, 2023
c2838ad
Merge branch 'feature/add_Create_persist_via_Hidden_Run_key_value_uni…
shadow2033 Aug 15, 2023
1610204
Merge branch 'feature/add_Create_persist_via_WinlogonShell_unit_test'
shadow2033 Aug 15, 2023
27d3c08
Merge branch 'feature/add_Credentials_MiniDumpWriteDump_Lsass_unit_test'
shadow2033 Aug 15, 2023
33ac8c6
Merge branch 'feature/add_DCShadow_Attack_unit_test'
shadow2033 Aug 15, 2023
3f4edf6
Merge branch 'feature/add_DCSync_prepare_Add_replicatation_rights_to_…
shadow2033 Aug 15, 2023
fb22634
Merge branch 'feature/add_DCSync_unit_test'
shadow2033 Aug 15, 2023
1b32d33
Merge branches 'feature/add_DSRM_Password_Changed_unit_test', 'featur…
shadow2033 Aug 15, 2023
3b7c04b
Merge branch 'feature/add_Detect_execution_imageload_wuauclt_lolbas_u…
shadow2033 Aug 15, 2023
999caa0
Merge branch 'feature/add_Detect_hiding_files_via_attrib_cmdlet_unit_…
shadow2033 Aug 15, 2023
77e1b0b
Merge branches 'feature/add_Detect_lolbin_pcalua_exec_unit_test', 'fe…
shadow2033 Aug 15, 2023
3ea798e
Merge branches 'feature/add_ImageLoad_from_Network_Share_to_LSASS_uni…
shadow2033 Aug 15, 2023
6734bc1
Merge branches 'feature/add_LSASS_Dump_Create_unit_test', 'feature/ad…
shadow2033 Aug 15, 2023
db33fa6
Merge branches 'feature/add_PPL_Bypass_via_PPLDump_Tool_unit_test', '…
shadow2033 Aug 15, 2023
04f4add
Merge branches 'feature/add_RDP_Tunneling_unit_test', 'feature/add_RD…
shadow2033 Aug 15, 2023
f2d7f77
Merge branches 'feature/add_Schtasks_Commandline_unit_test', 'feature…
shadow2033 Aug 15, 2023
c240f9d
Merge branches 'feature/add_UACME_23_DismCore_Hijacking_unit_test', '…
shadow2033 Aug 15, 2023
ed90660
Create test_1.sc модульные тесты для правила(ParentPid_Spoofing)
shadow2033 Aug 21, 2023
b8cba5a
Merge branch 'Security-Experts-Community:master' into master
shadow2033 Aug 21, 2023
dbd3fd5
fix Chrome_firefox_opera_cred_read test 4
Feb 6, 2025
468db61
fix UAC_Bypass_Via_Consent test 3
Feb 6, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4624\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12544\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-02-13T15:26:53.3567809Z\"},\"EventRecordID\":\"5315\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"480\",\"ThreadID\":\"3952\"},\"Channel\":\"Security\",\"Computer\":\"PC02.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"PC02$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"EXAMPLE\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"TargetUserName\",\"text\":\"IEUser\"},{\"Name\":\"TargetDomainName\",\"text\":\"PC02\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x45120\"},{\"Name\":\"LogonType\",\"text\":\"10\"},{\"Name\":\"LogonProcessName\",\"text\":\"User32\"},{\"Name\":\"AuthenticationPackageName\",\"text\":\"Negotiate\"},{\"Name\":\"WorkstationName\",\"text\":\"PC02\"},{\"Name\":\"LogonGuid\",\"text\":\"{00000000-0000-0000-0000-000000000000}\"},{\"Name\":\"TransmittedServices\",\"text\":\"-\"},{\"Name\":\"LmPackageName\",\"text\":\"-\"},{\"Name\":\"KeyLength\",\"text\":\"0\"},{\"Name\":\"ProcessId\",\"text\":\"0x658\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\winlogon.exe\"},{\"Name\":\"IpAddress\",\"text\":\"127.0.0.1\"},{\"Name\":\"IpPort\",\"text\":\"49164\"}]}}}", "category.generic": "Operating System", "category.high": "Access Management", "category.low": "Communication", "datafield6": "RemoteInteractive", "datafield9": "Negotiate", "dst.fqdn": "pc02.example.corp", "dst.host": "pc02.example.corp", "dst.hostname": "pc02", "event_src.category": "AAA", "event_src.fqdn": "pc02.example.corp", "event_src.host": "pc02.example.corp", "event_src.hostname": "pc02", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4624_An_account_was_successfully_logged_on", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "logon_auth_method": "remote", "logon_service": "User32", "logon_type": 10, "mime": "application/x-pt-eventlog", "msgid": "4624", "normalized": true, "object": "system", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T21:05:50.597Z", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49164, "status": "success", "subject": "account", "subject.account.domain": "pc02", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.session_id": "282912", "subject.process.fullpath": "c:\\windows\\system32\\winlogon.exe", "subject.process.id": "1624", "subject.process.name": "winlogon.exe", "subject.process.path": "c:\\windows\\system32\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-02-13T15:26:53.356Z", "type": "raw", "uuid": "8a33a9cc-4609-43b5-aa3f-4d468a296ce2"}

expect 1 {"action": "login", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Protocol Tunneling", "correlation_name": "RDP_Tunneling", "correlation_type": "incident", "dst.fqdn": "pc02.example.corp", "dst.host": "pc02.example.corp", "dst.hostname": "pc02", "event_src.category": "AAA", "event_src.host": "pc02.example.corp", "event_src.hostname": "pc02", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.category": "Undefined", "incident.severity": "medium", "logon_auth_method": "remote", "logon_service": "User32", "logon_type": 10, "object": "system", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49164, "status": "success", "subject": "account", "subject.account.domain": "pc02", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.session_id": "282912", "subject.process.fullpath": "c:\\windows\\system32\\winlogon.exe", "subject.process.id": "1624", "subject.process.name": "winlogon.exe", "subject.process.path": "c:\\windows\\system32\\"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"action": "login", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-TerminalServices-RemoteConnectionManager\",\"Guid\":\"{c76baa63-ae81-421c-b425-340b4b24157f}\"},\"EventID\":\"1149\",\"Version\":\"0\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x1000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-02-13T18:04:57.4523864Z\"},\"EventRecordID\":\"228\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"1280\",\"ThreadID\":\"2748\"},\"Channel\":\"Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational\",\"Computer\":\"PC01.example.corp\",\"Security\":{\"UserID\":\"S-1-5-20\"}},\"UserData\":{\"EventXML\":{\"xmlns:auto-ns2\":\"2>http://schemas.microsoft.com/win/2004/08/events\",\"xmlns\":\"Event_NS\",\"Param1\":\"admin01\",\"Param2\":\"example\",\"Param3\":\"127.0.0.1\"}}}}", "category.generic": "Access", "category.high": "Authentication", "category.low": "Remote", "event_src.category": "Terminal services", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "1149_User_authentication_succeeded", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "1149", "normalized": true, "object": "system", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T21:55:11.504Z", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.name": "admin01", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-02-13T18:04:57.452Z", "type": "raw", "uuid": "8b82ace1-015d-45a5-8be0-552b37fceb60"}

expect 1 {"action": "login", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Protocol Tunneling", "correlation_name": "RDP_Tunneling", "correlation_type": "incident", "event_src.category": "Terminal services", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "incident.category": "Undefined", "incident.severity": "medium", "object": "system", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "status": "success", "subject": "account", "subject.account.domain": "example", "subject.account.name": "admin01"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"action": "allow", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"5156\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"12810\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-02-13T18:04:01.6321208Z\"},\"EventRecordID\":\"227727\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"PC01.example.corp\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"ProcessID\",\"text\":\"3324\"},{\"Name\":\"Application\",\"text\":\"\\\\device\\\\harddiskvolume1\\\\users\\\\user01\\\\desktop\\\\plink.exe\"},{\"Name\":\"Direction\",\"text\":\"%%14593\"},{\"Name\":\"SourceAddress\",\"text\":\"127.0.0.1\"},{\"Name\":\"SourcePort\",\"text\":\"49271\"},{\"Name\":\"DestAddress\",\"text\":\"127.0.0.2\"},{\"Name\":\"DestPort\",\"text\":\"3389\"},{\"Name\":\"Protocol\",\"text\":\"6\"},{\"Name\":\"FilterRTID\",\"text\":\"0\"},{\"Name\":\"LayerName\",\"text\":\"%%14611\"},{\"Name\":\"LayerRTID\",\"text\":\"48\"},{\"Name\":\"RemoteUserID\",\"text\":\"S-1-0-0\"},{\"Name\":\"RemoteMachineID\",\"text\":\"S-1-0-0\"}]}}}", "category.generic": "Connection", "category.high": "Network Interaction Management", "category.low": "Control", "datafield5": "48", "direction": "egress", "dst.host": "127.0.0.2", "dst.ip": "127.0.0.2", "dst.port": 3389, "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_5156_WFP_has_permitted_connection", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "5156", "normalized": true, "object": "connection", "object.process.fullpath": "\\device\\harddiskvolume1\\users\\user01\\desktop\\plink.exe", "object.process.id": "3324", "object.process.name": "plink.exe", "object.process.path": "\\device\\harddiskvolume1\\users\\user01\\desktop\\", "object.property": "ALE layer", "object.value": "Connect", "protocol": "6", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-12T21:30:19.331Z", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49271, "status": "success", "subject": "rule", "subject.id": "0", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-02-13T18:04:01.632Z", "type": "raw", "uuid": "dc4c60bd-251a-4238-94bb-1d308a36fb43"}

expect 1 {"action": "start", "category.generic": "Attack", "category.high": "Command and Control", "category.low": "Protocol Tunneling", "correlation_name": "RDP_Tunneling_via_SSH_5156", "correlation_type": "event", "direction": "egress", "dst.host": "127.0.0.2", "dst.ip": "127.0.0.2", "dst.port": 3389, "event_src.category": "Operating system", "event_src.fqdn": "pc01.example.corp", "event_src.host": "pc01.example.corp", "event_src.hostname": "pc01", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "high", "object": "process", "object.process.fullpath": "\\device\\harddiskvolume1\\users\\user01\\desktop\\plink.exe", "object.process.id": "3324", "object.process.name": "plink.exe", "object.process.path": "\\device\\harddiskvolume1\\users\\user01\\desktop\\", "protocol": "6", "src.host": "127.0.0.1", "src.ip": "127.0.0.1", "src.port": 49271, "status": "success", "subject": "account"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:05.3081880Z\"},\"EventRecordID\":\"4989\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\kushu3sd.default\\\\key4.db\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\key4.db", "object.name": "key4.db", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T11:47:59.229Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:05.308Z", "type": "raw", "uuid": "ab468aaa-cc07-45a7-b407-d7cd53928174"}
{"action": "access", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4663\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-04-27T19:33:18.6997552Z\"},\"EventRecordID\":\"4990\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"56\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xffa8\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\IEUser\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\kushu3sd.default\\\\logins.json\"},{\"Name\":\"HandleId\",\"text\":\"0x50\"},{\"Name\":\"AccessList\",\"text\":\"%%4416\"},{\"Name\":\"AccessMask\",\"text\":\"0x1\"},{\"Name\":\"ProcessId\",\"text\":\"0x134c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Users\\\\Defau1t\\\\wsus.exe\"}]}}}", "category.generic": "File System Object", "category.high": "System Management", "category.low": "Manipulation", "datafield1": "0x50", "datafield5": "0x1", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4663_An_attempt_was_made_to_access_an_object", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4663", "normalized": true, "object": "file_object", "object.fullpath": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\logins.json", "object.name": "logins.json", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-04T11:47:59.230Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-04-27T19:33:18.699Z", "type": "raw", "uuid": "1594673e-8a1f-41aa-81af-dd9dc3f73331"}

expect 2 {"action": "read", "alert.key": "C:\\Users\\Defau1t\\wsus.exe", "category.generic": "Attack", "category.high": "Credential Access", "category.low": "Credentials from Password Stores", "correlation_name": "Chrome_firefox_opera_cred_read", "correlation_type": "incident", "event_src.category": "Operating system", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.title": "windows", "event_src.vendor": "microsoft", "importance": "medium", "object": "file", "object.path": "c:\\users\\ieuser\\appdata\\roaming\\mozilla\\firefox\\profiles\\kushu3sd.default\\", "object.property": "GrantedAccess", "object.type": "file", "object.value": "0x1", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "%%4416", "subject.account.session_id": "65448", "subject.process.fullpath": "C:\\Users\\Defau1t\\wsus.exe", "subject.process.id": "4940", "subject.process.name": "wsus.exe", "subject.process.path": "C:\\Users\\Defau1t\\"}
Loading