Update data.py

data.py

@@ -10,14 +10,14 @@ EVENT_DATABASE = [
         "Source": "Security",
         "Description": "An account failed to log on.",
         "Win_R": "eventvwr.msc",
-        "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 20",
+        "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 20 | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='IP';E={$_.Properties[19].Value}}",
         "MITRE": "T1110 (Brute Force)",
-        "Logic": "High frequency of failures (10+ per minute) suggests a brute force attack.",
-        "Investigation_Steps": "1. Win+R > eventvwr.msc\n2. Security Log > Filter ID 4625\n3. Check 'Source Network Address' to find the attacker's IP.",
-        "Scenario": "Attacker guessing passwords for a local admin account.",
+        "Logic": "High frequency of failures (10+ per minute) suggests brute force.",
+        "Investigation_Steps": "1. Press **Win+R**, type `eventvwr.msc`.\n2. Go to **Security Log** > **Filter Current Log**.\n3. Type `4625` in the Event ID box.\n4. Scroll down to 'Network Information' to see the Source IP address.",
+        "Scenario": "Attacker trying a wordlist against the Administrator account.",
         "Response": "Block Source IP at firewall. Check if the account is now locked.",
-        "Remediation": "Implement MFA and account lockout policies.",
-        "Tips": "Logon Type 3 is Network; Type 10 is RDP."
+        "Remediation": "Enable Account Lockout Policy in `secpol.msc`.",
+        "Tips": "Logon Type 3 = Network; Type 10 = RDP."
     },
     {
         "ID": "4624",
@@ -27,33 +27,15 @@ EVENT_DATABASE = [
         "Source": "Security",
         "Description": "An account was successfully logged on.",
         "Win_R": "eventvwr.msc",
-        "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 20",
+        "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 10",
         "MITRE": "T1078 (Valid Accounts)",
-        "Logic": "Look for logins at unusual hours or from unusual locations.",
-        "Investigation_Steps": "1. Filter ID 4624\n2. Verify the 'Logon Type'. Type 10 is RDP—check if the user usually works remotely.",
-        "Scenario": "Credential theft leading to lateral movement.",
-        "Response": "Confirm with the user if they performed the login.",
-        "Remediation": "Enforce 'Least Privilege' and rotate credentials.",
-        "Tips": "Check 'TargetUserName' to ensure it's a known employee."
+        "Logic": "Monitor for RDP logins (Type 10) at unusual hours.",
+        "Investigation_Steps": "1. Open Event Viewer.\n2. Filter Security log for `4624`.\n3. Look for 'Logon Type'. Type 2 is local; Type 3 is network share; Type 10 is RDP.",
+        "Scenario": "Lateral movement using stolen credentials.",
+        "Response": "Verify with the user if they authorized this login.",
+        "Remediation": "Enforce MFA for all remote access.",
+        "Tips": "Check 'Logon ID' to link this to other events by the same user."
     },
-    {
-        "ID": "4672",
-        "Name": "Admin Privs Assigned",
-        "Category": "Authentication",
-        "Severity": "Medium",
-        "Source": "Security",
-        "Description": "Special privileges assigned to a new logon.",
-        "Win_R": "secpol.msc",
-        "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4672}",
-        "MITRE": "T1078.002 (Domain Accounts)",
-        "Logic": "Triggered when an admin logs in. Suspicious if triggered by a standard user account.",
-        "Investigation_Steps": "1. Filter for 4672.\n2. Cross-reference with 4624 to see the source of the login.",
-        "Scenario": "Privilege escalation where a normal user gains admin rights.",
-        "Response": "Audit the user's group memberships immediately.",
-        "Remediation": "Use Privileged Access Management (PAM) tools.",
-        "Tips": "Look for 'SeDebugPrivilege' which is often used by attackers."
-    },
-
     # --- PROCESS & EXECUTION ---
     {
         "ID": "4688",
@@ -65,12 +47,12 @@ EVENT_DATABASE = [
         "Win_R": "taskmgr",
         "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} -MaxEvents 50",
         "MITRE": "T1059 (Command Execution)",
-        "Logic": "Watch for cmd.exe or powershell.exe spawned by web servers (w3wp.exe) or Office (winword.exe).",
-        "Investigation_Steps": "1. Filter ID 4688.\n2. Examine 'Process Command Line'.\n3. Check for 'New Process Name' and 'Parent Process Name'.",
-        "Scenario": "Phishing email launching a shell via a macro.",
-        "Response": "Kill the process and isolate the host.",
-        "Remediation": "Enable ASR Rule: Block Office from creating child processes.",
-        "Tips": "Command line auditing must be enabled via GPO to see the full command."
+        "Logic": "Suspicious if Office apps (Word/Excel) spawn PowerShell or CMD.",
+        "Investigation_Steps": "1. Press **Win+R**, type `taskmgr` to see live processes.\n2. In Event Viewer, filter for ID `4688`.\n3. Check the 'Process Command Line' field to see the exact command executed.",
+        "Scenario": "Malicious macro launching a reverse shell.",
+        "Response": "Kill the process tree and isolate the host.",
+        "Remediation": "Enable GPO: 'Include command line in process creation events'.",
+        "Tips": "Essential for catching 'Living off the Land' (LotL) attacks."
     },
     {
         "ID": "1 (Sysmon)",
@@ -82,14 +64,13 @@ EVENT_DATABASE = [
         "Win_R": "services.msc",
         "PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where {$_.ID -eq 1}",
         "MITRE": "T1204 (User Execution)",
-        "Logic": "Analyze hashes (SHA256) of unknown executables.",
-        "Investigation_Steps": "1. Open Sysmon Operational log.\n2. Filter ID 1.\n3. Copy the Hash and search on VirusTotal.",
-        "Scenario": "User runs a renamed malware executable (e.g., 'invoice.exe').",
-        "Response": "Check file hash. If malicious, run a full system scan.",
-        "Remediation": "Implement AppLocker to allow only signed binaries.",
-        "Tips": "Sysmon is better than Log 4688 because it provides hashes."
+        "Logic": "New executables running from `Temp` or `AppData` folders.",
+        "Investigation_Steps": "1. Navigate to **Applications and Services > Microsoft > Windows > Sysmon > Operational**.\n2. Filter for ID `1`.\n3. Copy the SHA256 hash and check it on VirusTotal.",
+        "Scenario": "User executes a renamed malware binary.",
+        "Response": "If the hash is malicious, perform memory forensics.",
+        "Remediation": "Use AppLocker to restrict unsigned code.",
+        "Tips": "Sysmon provides the ParentCommandLine, which is vital for context."
     },
-
     # --- POWERSHELL ---
     {
         "ID": "4104",
@@ -97,68 +78,51 @@ EVENT_DATABASE = [
         "Category": "PowerShell",
         "Severity": "Critical",
         "Source": "PowerShell/Ops",
-        "Description": "Captures the full code executed by PowerShell.",
+        "Description": "Full code executed by PowerShell.",
         "Win_R": "eventvwr.msc",
-        "PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where {$_.ID -eq 4104}",
+        "PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where {$_.ID -eq 4104} | Select -ExpandProperty Message",
         "MITRE": "T1059.001 (PowerShell)",
-        "Logic": "Look for keywords: 'Base64', 'IEX', 'Invoke-WebRequest'.",
-        "Investigation_Steps": "1. Go to PowerShell/Operational log.\n2. Filter ID 4104.\n3. Read the 'ScriptBlock Text' field.",
-        "Scenario": "Fileless malware loading a script in memory.",
-        "Response": "Extract and de-obfuscate the script to find C2 IPs.",
+        "Logic": "Search for 'Base64', 'IEX', or 'DownloadString'.",
+        "Investigation_Steps": "1. Go to **PowerShell/Operational** log in Event Viewer.\n2. Filter ID `4104`.\n3. Examine the 'ScriptBlock Text'. This captures code even if run in memory.",
+        "Scenario": "Fileless malware executing a Cobalt Strike beacon.",
+        "Response": "Analyze the URL/IP the script is trying to connect to.",
         "Remediation": "Set Execution Policy to 'AllSigned'.",
-        "Tips": "Catches malicious code even if the script file is deleted."
+        "Tips": "This log de-obfuscates scripts automatically."
     },
-
-    # --- NETWORK & SYSTEM ---
+    # --- NETWORK ---
     {
         "ID": "5156",
         "Name": "Network Connection",
         "Category": "Network",
         "Severity": "Medium",
         "Source": "Security",
-        "Description": "Windows Filtering Platform permitted a connection.",
+        "Description": "Windows Firewall permitted a connection.",
         "Win_R": "wf.msc",
         "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=5156} -MaxEvents 50",
         "MITRE": "T1041 (Exfiltration)",
-        "Logic": "Look for outbound traffic to known malicious IPs or unusual ports.",
-        "Investigation_Steps": "1. Filter ID 5156.\n2. Check 'Dest Address' and 'Dest Port' (e.g., port 4444 or 8080).",
-        "Scenario": "Malware 'phoning home' to a Command & Control (C2) server.",
-        "Response": "Block the destination IP at the perimeter firewall.",
-        "Remediation": "Restrict outbound traffic to necessary ports only.",
-        "Tips": "This log generates a LOT of data; use carefully."
-    },
-    {
-        "ID": "6416",
-        "Name": "USB Device Plugged",
-        "Category": "System",
-        "Severity": "Low",
-        "Source": "Security",
-        "Description": "A new external device was recognized.",
-        "Win_R": "devmgmt.msc",
-        "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=6416}",
-        "MITRE": "T1200 (Hardware Additions)",
-        "Logic": "Detection of unauthorized USB storage usage.",
-        "Investigation_Steps": "1. Filter ID 6416.\n2. Identify the 'Device Description'. Is it a mass storage device?",
-        "Scenario": "Insider threat stealing data via a thumb drive.",
-        "Response": "Identify what files were accessed during the USB session (ID 4663).",
-        "Remediation": "Disable USB ports for non-authorized users via GPO.",
-        "Tips": "Useful for Data Loss Prevention (DLP) investigations."
+        "Logic": "Outbound connections to unknown IPs on non-standard ports (e.g. 4444).",
+        "Investigation_Steps": "1. Press **Win+R**, type `wf.msc` to check Firewall rules.\n2. In Event Viewer, filter Security log for `5156`.\n3. Identify the 'Destination Address'.",
+        "Scenario": "Malware communicating with a C2 server.",
+        "Response": "Block the destination IP at the perimeter.",
+        "Remediation": "Enable Egress filtering.",
+        "Tips": "Requires 'Audit Filtering Platform Connection' to be enabled."
     },
+    # --- USER & SYSTEM ---
     {
         "ID": "4720",
         "Name": "User Created",
         "Category": "User Management",
         "Severity": "High",
         "Source": "Security",
-        "Description": "A user account was created.",
+        "Description": "A new user account was created.",
         "Win_R": "lusrmgr.msc",
         "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4720}",
         "MITRE": "T1136 (Create Account)",
-        "Logic": "Unexpected account creation is a sign of persistence.",
-        "Investigation_Steps": "1. Filter ID 4720.\n2. Check 'SubjectUserName' (Who created it?) and 'TargetUserName' (What was created?).",
-        "Scenario": "Attacker creates a 'backdoor' account to maintain access.",
-        "Response": "Disable the new account and audit who created it.",
-        "Remediation": "Restrict account creation rights to Domain Admins only.",
-        "Tips": "Usually followed by ID 4732 (Added to a group)."
+        "Logic": "Unauthorized account creation for persistence.",
+        "Investigation_Steps": "1. Press **Win+R**, type `lusrmgr.msc` to view local users.\n2. Filter Security log for ID `4720`.\n3. Check 'Subject' (who created the user).",
+        "Scenario": "Attacker creating a backdoor account.",
+        "Response": "Disable the account and audit the creator's activity.",
+        "Remediation": "Limit account creation rights to specific admins.",
+        "Tips": "Look for names that mimic system accounts (e.g., 'SytemAdmin')."
     }
 ]