ahmedumeraziz's picture
Update data.py
e2a1e70 verified
Raw
History Blame Contribute Delete
7.1 kB
# data.py - Complete Windows Security Intelligence Dataset
EVENT_DATABASE = [
# --- AUTHENTICATION ---
{
"ID": "4625",
"Name": "Failed Login",
"Category": "Authentication",
"Severity": "Medium",
"Source": "Security",
"Description": "An account failed to log on.",
"Win_R": "eventvwr.msc",
"PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 20 | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='IP';E={$_.Properties[19].Value}}",
"MITRE": "T1110 (Brute Force)",
"Logic": "High frequency of failures (10+ per minute) suggests brute force.",
"Investigation_Steps": "1. Press **Win+R**, type `eventvwr.msc`.\n2. Go to **Security Log** > **Filter Current Log**.\n3. Type `4625` in the Event ID box.\n4. Scroll down to 'Network Information' to see the Source IP address.",
"Scenario": "Attacker trying a wordlist against the Administrator account.",
"Response": "Block Source IP at firewall. Check if the account is now locked.",
"Remediation": "Enable Account Lockout Policy in `secpol.msc`.",
"Tips": "Logon Type 3 = Network; Type 10 = RDP."
},
{
"ID": "4624",
"Name": "Successful Login",
"Category": "Authentication",
"Severity": "Low",
"Source": "Security",
"Description": "An account was successfully logged on.",
"Win_R": "eventvwr.msc",
"PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 10",
"MITRE": "T1078 (Valid Accounts)",
"Logic": "Monitor for RDP logins (Type 10) at unusual hours.",
"Investigation_Steps": "1. Open Event Viewer.\n2. Filter Security log for `4624`.\n3. Look for 'Logon Type'. Type 2 is local; Type 3 is network share; Type 10 is RDP.",
"Scenario": "Lateral movement using stolen credentials.",
"Response": "Verify with the user if they authorized this login.",
"Remediation": "Enforce MFA for all remote access.",
"Tips": "Check 'Logon ID' to link this to other events by the same user."
},
# --- PROCESS & EXECUTION ---
{
"ID": "4688",
"Name": "Process Creation",
"Category": "Process",
"Severity": "High",
"Source": "Security",
"Description": "A new process has been created.",
"Win_R": "taskmgr",
"PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} -MaxEvents 50",
"MITRE": "T1059 (Command Execution)",
"Logic": "Suspicious if Office apps (Word/Excel) spawn PowerShell or CMD.",
"Investigation_Steps": "1. Press **Win+R**, type `taskmgr` to see live processes.\n2. In Event Viewer, filter for ID `4688`.\n3. Check the 'Process Command Line' field to see the exact command executed.",
"Scenario": "Malicious macro launching a reverse shell.",
"Response": "Kill the process tree and isolate the host.",
"Remediation": "Enable GPO: 'Include command line in process creation events'.",
"Tips": "Essential for catching 'Living off the Land' (LotL) attacks."
},
{
"ID": "1 (Sysmon)",
"Name": "Process Create",
"Category": "Sysmon",
"Severity": "High",
"Source": "Sysmon",
"Description": "Detailed process creation with file hashes.",
"Win_R": "services.msc",
"PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where {$_.ID -eq 1}",
"MITRE": "T1204 (User Execution)",
"Logic": "New executables running from `Temp` or `AppData` folders.",
"Investigation_Steps": "1. Navigate to **Applications and Services > Microsoft > Windows > Sysmon > Operational**.\n2. Filter for ID `1`.\n3. Copy the SHA256 hash and check it on VirusTotal.",
"Scenario": "User executes a renamed malware binary.",
"Response": "If the hash is malicious, perform memory forensics.",
"Remediation": "Use AppLocker to restrict unsigned code.",
"Tips": "Sysmon provides the ParentCommandLine, which is vital for context."
},
# --- POWERSHELL ---
{
"ID": "4104",
"Name": "PS Script Block",
"Category": "PowerShell",
"Severity": "Critical",
"Source": "PowerShell/Ops",
"Description": "Full code executed by PowerShell.",
"Win_R": "eventvwr.msc",
"PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where {$_.ID -eq 4104} | Select -ExpandProperty Message",
"MITRE": "T1059.001 (PowerShell)",
"Logic": "Search for 'Base64', 'IEX', or 'DownloadString'.",
"Investigation_Steps": "1. Go to **PowerShell/Operational** log in Event Viewer.\n2. Filter ID `4104`.\n3. Examine the 'ScriptBlock Text'. This captures code even if run in memory.",
"Scenario": "Fileless malware executing a Cobalt Strike beacon.",
"Response": "Analyze the URL/IP the script is trying to connect to.",
"Remediation": "Set Execution Policy to 'AllSigned'.",
"Tips": "This log de-obfuscates scripts automatically."
},
# --- NETWORK ---
{
"ID": "5156",
"Name": "Network Connection",
"Category": "Network",
"Severity": "Medium",
"Source": "Security",
"Description": "Windows Firewall permitted a connection.",
"Win_R": "wf.msc",
"PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=5156} -MaxEvents 50",
"MITRE": "T1041 (Exfiltration)",
"Logic": "Outbound connections to unknown IPs on non-standard ports (e.g. 4444).",
"Investigation_Steps": "1. Press **Win+R**, type `wf.msc` to check Firewall rules.\n2. In Event Viewer, filter Security log for `5156`.\n3. Identify the 'Destination Address'.",
"Scenario": "Malware communicating with a C2 server.",
"Response": "Block the destination IP at the perimeter.",
"Remediation": "Enable Egress filtering.",
"Tips": "Requires 'Audit Filtering Platform Connection' to be enabled."
},
# --- USER & SYSTEM ---
{
"ID": "4720",
"Name": "User Created",
"Category": "User Management",
"Severity": "High",
"Source": "Security",
"Description": "A new user account was created.",
"Win_R": "lusrmgr.msc",
"PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4720}",
"MITRE": "T1136 (Create Account)",
"Logic": "Unauthorized account creation for persistence.",
"Investigation_Steps": "1. Press **Win+R**, type `lusrmgr.msc` to view local users.\n2. Filter Security log for ID `4720`.\n3. Check 'Subject' (who created the user).",
"Scenario": "Attacker creating a backdoor account.",
"Response": "Disable the account and audit the creator's activity.",
"Remediation": "Limit account creation rights to specific admins.",
"Tips": "Look for names that mimic system accounts (e.g., 'SytemAdmin')."
}
]