New Kit: Windows - Githubissues

gravwell / kits

A collection of open source Gravwell kits

BSD 2-Clause "Simplified" License

3 stars 15 forks source link

New Kit: Windows #165

Open kris-watts-gravwell opened 3 months ago

kris-watts-gravwell commented 3 months ago

General issue for tracking a generic windows kit.

Helpful links

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ https://www.xplg.com/windows-server-security-events-list/ https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

Query library stuff

[x] Account lockouts
[x] Logins ~~Logouts~~
[x] RDP logins
[x] administrator RDP logins
[x] Event data is cleared ~~network authentications~~

Dashboards

[x] Overview
[x] Account logons - successful
[x] Group events
[x] User events
[x] Account logon - failures/lockouts

Playbook

[x] Overview
[x] Windows Event Collection

Resources

[x] EventID to description lookup

Next iteration

[ ] Query: RDP logins with wonky language or clients
[ ] Query: Pass the hash
[ ] Playbook: Query overview
[ ] Playbook: Important events to monitor

keith-smiley-gravwell commented 1 month ago

Update...

Rolled https://github.com/gravwell/kits/issues/60 into this issue
Changing "network authentications" to "interactive" as 95% of domain logins are network

keith-smiley-gravwell commented 1 month ago

Added a few more dashboards, playbooks