Spaces:
Sleeping
Sleeping
| # data.py - Complete Windows Security Intelligence Dataset | |
| EVENT_DATABASE = [ | |
| # --- AUTHENTICATION --- | |
| { | |
| "ID": "4625", | |
| "Name": "Failed Login", | |
| "Category": "Authentication", | |
| "Severity": "Medium", | |
| "Source": "Security", | |
| "Description": "An account failed to log on.", | |
| "Win_R": "eventvwr.msc", | |
| "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 20 | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='IP';E={$_.Properties[19].Value}}", | |
| "MITRE": "T1110 (Brute Force)", | |
| "Logic": "High frequency of failures (10+ per minute) suggests brute force.", | |
| "Investigation_Steps": "1. Press **Win+R**, type `eventvwr.msc`.\n2. Go to **Security Log** > **Filter Current Log**.\n3. Type `4625` in the Event ID box.\n4. Scroll down to 'Network Information' to see the Source IP address.", | |
| "Scenario": "Attacker trying a wordlist against the Administrator account.", | |
| "Response": "Block Source IP at firewall. Check if the account is now locked.", | |
| "Remediation": "Enable Account Lockout Policy in `secpol.msc`.", | |
| "Tips": "Logon Type 3 = Network; Type 10 = RDP." | |
| }, | |
| { | |
| "ID": "4624", | |
| "Name": "Successful Login", | |
| "Category": "Authentication", | |
| "Severity": "Low", | |
| "Source": "Security", | |
| "Description": "An account was successfully logged on.", | |
| "Win_R": "eventvwr.msc", | |
| "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 10", | |
| "MITRE": "T1078 (Valid Accounts)", | |
| "Logic": "Monitor for RDP logins (Type 10) at unusual hours.", | |
| "Investigation_Steps": "1. Open Event Viewer.\n2. Filter Security log for `4624`.\n3. Look for 'Logon Type'. Type 2 is local; Type 3 is network share; Type 10 is RDP.", | |
| "Scenario": "Lateral movement using stolen credentials.", | |
| "Response": "Verify with the user if they authorized this login.", | |
| "Remediation": "Enforce MFA for all remote access.", | |
| "Tips": "Check 'Logon ID' to link this to other events by the same user." | |
| }, | |
| # --- PROCESS & EXECUTION --- | |
| { | |
| "ID": "4688", | |
| "Name": "Process Creation", | |
| "Category": "Process", | |
| "Severity": "High", | |
| "Source": "Security", | |
| "Description": "A new process has been created.", | |
| "Win_R": "taskmgr", | |
| "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} -MaxEvents 50", | |
| "MITRE": "T1059 (Command Execution)", | |
| "Logic": "Suspicious if Office apps (Word/Excel) spawn PowerShell or CMD.", | |
| "Investigation_Steps": "1. Press **Win+R**, type `taskmgr` to see live processes.\n2. In Event Viewer, filter for ID `4688`.\n3. Check the 'Process Command Line' field to see the exact command executed.", | |
| "Scenario": "Malicious macro launching a reverse shell.", | |
| "Response": "Kill the process tree and isolate the host.", | |
| "Remediation": "Enable GPO: 'Include command line in process creation events'.", | |
| "Tips": "Essential for catching 'Living off the Land' (LotL) attacks." | |
| }, | |
| { | |
| "ID": "1 (Sysmon)", | |
| "Name": "Process Create", | |
| "Category": "Sysmon", | |
| "Severity": "High", | |
| "Source": "Sysmon", | |
| "Description": "Detailed process creation with file hashes.", | |
| "Win_R": "services.msc", | |
| "PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where {$_.ID -eq 1}", | |
| "MITRE": "T1204 (User Execution)", | |
| "Logic": "New executables running from `Temp` or `AppData` folders.", | |
| "Investigation_Steps": "1. Navigate to **Applications and Services > Microsoft > Windows > Sysmon > Operational**.\n2. Filter for ID `1`.\n3. Copy the SHA256 hash and check it on VirusTotal.", | |
| "Scenario": "User executes a renamed malware binary.", | |
| "Response": "If the hash is malicious, perform memory forensics.", | |
| "Remediation": "Use AppLocker to restrict unsigned code.", | |
| "Tips": "Sysmon provides the ParentCommandLine, which is vital for context." | |
| }, | |
| # --- POWERSHELL --- | |
| { | |
| "ID": "4104", | |
| "Name": "PS Script Block", | |
| "Category": "PowerShell", | |
| "Severity": "Critical", | |
| "Source": "PowerShell/Ops", | |
| "Description": "Full code executed by PowerShell.", | |
| "Win_R": "eventvwr.msc", | |
| "PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where {$_.ID -eq 4104} | Select -ExpandProperty Message", | |
| "MITRE": "T1059.001 (PowerShell)", | |
| "Logic": "Search for 'Base64', 'IEX', or 'DownloadString'.", | |
| "Investigation_Steps": "1. Go to **PowerShell/Operational** log in Event Viewer.\n2. Filter ID `4104`.\n3. Examine the 'ScriptBlock Text'. This captures code even if run in memory.", | |
| "Scenario": "Fileless malware executing a Cobalt Strike beacon.", | |
| "Response": "Analyze the URL/IP the script is trying to connect to.", | |
| "Remediation": "Set Execution Policy to 'AllSigned'.", | |
| "Tips": "This log de-obfuscates scripts automatically." | |
| }, | |
| # --- NETWORK --- | |
| { | |
| "ID": "5156", | |
| "Name": "Network Connection", | |
| "Category": "Network", | |
| "Severity": "Medium", | |
| "Source": "Security", | |
| "Description": "Windows Firewall permitted a connection.", | |
| "Win_R": "wf.msc", | |
| "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=5156} -MaxEvents 50", | |
| "MITRE": "T1041 (Exfiltration)", | |
| "Logic": "Outbound connections to unknown IPs on non-standard ports (e.g. 4444).", | |
| "Investigation_Steps": "1. Press **Win+R**, type `wf.msc` to check Firewall rules.\n2. In Event Viewer, filter Security log for `5156`.\n3. Identify the 'Destination Address'.", | |
| "Scenario": "Malware communicating with a C2 server.", | |
| "Response": "Block the destination IP at the perimeter.", | |
| "Remediation": "Enable Egress filtering.", | |
| "Tips": "Requires 'Audit Filtering Platform Connection' to be enabled." | |
| }, | |
| # --- USER & SYSTEM --- | |
| { | |
| "ID": "4720", | |
| "Name": "User Created", | |
| "Category": "User Management", | |
| "Severity": "High", | |
| "Source": "Security", | |
| "Description": "A new user account was created.", | |
| "Win_R": "lusrmgr.msc", | |
| "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4720}", | |
| "MITRE": "T1136 (Create Account)", | |
| "Logic": "Unauthorized account creation for persistence.", | |
| "Investigation_Steps": "1. Press **Win+R**, type `lusrmgr.msc` to view local users.\n2. Filter Security log for ID `4720`.\n3. Check 'Subject' (who created the user).", | |
| "Scenario": "Attacker creating a backdoor account.", | |
| "Response": "Disable the account and audit the creator's activity.", | |
| "Remediation": "Limit account creation rights to specific admins.", | |
| "Tips": "Look for names that mimic system accounts (e.g., 'SytemAdmin')." | |
| } | |
| ] |