Contribution of Windows events. Also included some small fixes.

[rubinatorz]

hi guys,

As announced, my contribution of a set of Windows events. I also included some small fixes (typos).

If you have any questions or comments, please contact me via Slack.

regards, Ruben

[Cyb3rPandaH]

Thank you Ruben 🙏 We will review it and let you know if we have any comment or question.

Best, Jose

[Cyb3rPandaH]

Comments on: user_created_logon_session.yml

• Description of the event 4776: Description of event says "Computer". It makes reference to Domain Controller and Local Computer.
• Relationship: Event data contains information of the user that had its credentials validated, but not the user that performed/reported the action. Event data contains information of the computer from which the logon attempt originated.
• Data Source / Data Component: I think this event is more related to User Account / User Account Authentication. Since the event shows successful and unsuccessful credential validations, we could consider the following relations: user -> attempted to authenticate from -> device, user -> authenticated from -> device. We would need to create two new yml files 😃 because those relations are not documented Note: We are planning to use device as an entity, to represent computer and host. We might need to update some yaml files later.
• Recommended changes to user_created_logon_session:
  • Remove event 4776 from this yaml file
  • Update description of event 4776
  • Create new yml file: user_attempted_to_authenticate_from_device. ATT&CK mapping: User Account / User Account Authentication. Consider event 4776 (Description Updated)
  • Create new yml file: user_authenticated_from_device. ATT&CK mapping: User Account / User Account Authentication. Consider event 4776 (Description Updated)

[Cyb3rPandaH]

Comments on: user_created_pipe & process_created_pipe

• Current yaml files: we have documented the following relationships: process -> created -> pipe & process -> connected to -> pipe
• New yaml file: user_created_pipe is a new yaml file
• ATT&CK mapping: both files are mapping the relationships to Named Pipe / Named Pipe Metadata. I think it is okay, and both files have "Potential Contribution" notes 👍 . We will map these events to metadata component for now.
• Recommended changes to user_created_pipe:
  • remove Sysmon event 18 (Will we considered under new relation: user_connected_to_pipe)
• Recommended changes to process_created_pipe:
  • remove Sysmon event 18 (Is already considered under relationship: process_connected_to_pipe)
• New Yaml Recommendation for user_connected_to_pipe
  • ATT&CK mapping: Named Pipe / Named Pipe Metadata
  • Add "Potential contribution for ATT&CK - Named Pipe / named pipe connection" note
  • Consider Sysmon event 18
• Other Yaml update Recommendation:
  • We need to update the "process_connected_to_pipe" yaml: ATT&CK mapping -> Named Pipe / Named Pipe Metadata

[rubinatorz]

hi @Cyb3rPandaH,

Regarding user_created_logon_session.yml I often use both Microsoft docs and ultimatewindowssecurity.com. It doesn't happen much, but for 4776 the description on the UWS website differs from the one at MS docs: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4776 UWS is stating "4776: The domain controller attempted to validate the credentials for an account", so I got directed into the domain controller direction. Anyways, your recommended changes seems good!

Regarding user_created_pipe & process_created_pipe I think I overlooked the process-connected to-pipe relationship file. So I totally agree with the recommended changes. As there's only "Named Pipe Metadata" as data component within "Named Pipe" data source I think this is the best option we currently have.

[Cyb3rPandaH]

Comments on drive_created.yml:

• All events (6416, 6423, and 6424) provide context about the user.
• I think relationships should consider user entity
  • 6416: User --> installed --> Drive
  • 6423: User --> attempted to install --> Drive
  • 6424: User --> installed --> Drive
• Recommended changes:
  • Change name of file to user_installed_drive.yml and consider events 6416 and 6424
  • Create new file user_atempted_to_install_drive.yml and consider event 6423

[Cyb3rPandaH]

Comments on drive_modified.yml:

• All events (6419, 6420, 6421, and 6422) provide context about the user.
• I think relationships should consider user entity
  • 6419: User --> attempted to disable --> Drive
  • 6420: User --> disabled --> Drive
  • 6421: User --> attempted to enable --> Drive
  • 6422: User --> enabled --> Drive
• Recommended changes:
  • Change name of file to user_attempted_to_disable_drive.yml and consider event 6419
  • Create new file user_disabled_drive.yml and consider event 6420
  • Create new file user_attempted_to_enable_drive.yml and consider event 6421
  • Create new file user_enabled_drive.yml and consider event 6422

[Cyb3rPandaH]

Comments on firewall_policy_loaded.yml:

In other yml files we have used the term firewall to represent the firewall service. Based on the description of the event, what do you think of this idea for the behavior: firewall --> attempted to load --> policy ? We could use the entity policy for other relationships in the future.

• Recommended changes:
  • Change name of the file: firewall_attempted_to_load_policy
  • Also, update behavior description.

[Cyb3rPandaH]

Comments on sensor_health_changed:

• I am thinking on moving Sysmon event 4 from service_started to sensor_health_changed. I will provide the same context as event 6005 (The event log service was started)
• Recommended chages:
  • Add sysmon event 4 to sensor_health_changed

[Cyb3rPandaH]

Thank you again @rubinatorz ! We are merging the PR and make a few changes later based on the comments I provided to a few sections.