# data.py - Complete Windows Security Intelligence Dataset EVENT_DATABASE = [ # --- AUTHENTICATION --- { "ID": "4625", "Name": "Failed Login", "Category": "Authentication", "Severity": "Medium", "Source": "Security", "Description": "An account failed to log on.", "Win_R": "eventvwr.msc", "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 20 | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='IP';E={$_.Properties[19].Value}}", "MITRE": "T1110 (Brute Force)", "Logic": "High frequency of failures (10+ per minute) suggests brute force.", "Investigation_Steps": "1. Press **Win+R**, type `eventvwr.msc`.\n2. Go to **Security Log** > **Filter Current Log**.\n3. Type `4625` in the Event ID box.\n4. Scroll down to 'Network Information' to see the Source IP address.", "Scenario": "Attacker trying a wordlist against the Administrator account.", "Response": "Block Source IP at firewall. Check if the account is now locked.", "Remediation": "Enable Account Lockout Policy in `secpol.msc`.", "Tips": "Logon Type 3 = Network; Type 10 = RDP." }, { "ID": "4624", "Name": "Successful Login", "Category": "Authentication", "Severity": "Low", "Source": "Security", "Description": "An account was successfully logged on.", "Win_R": "eventvwr.msc", "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 10", "MITRE": "T1078 (Valid Accounts)", "Logic": "Monitor for RDP logins (Type 10) at unusual hours.", "Investigation_Steps": "1. Open Event Viewer.\n2. Filter Security log for `4624`.\n3. Look for 'Logon Type'. Type 2 is local; Type 3 is network share; Type 10 is RDP.", "Scenario": "Lateral movement using stolen credentials.", "Response": "Verify with the user if they authorized this login.", "Remediation": "Enforce MFA for all remote access.", "Tips": "Check 'Logon ID' to link this to other events by the same user." }, # --- PROCESS & EXECUTION --- { "ID": "4688", "Name": "Process Creation", "Category": "Process", "Severity": "High", "Source": "Security", "Description": "A new process has been created.", "Win_R": "taskmgr", "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} -MaxEvents 50", "MITRE": "T1059 (Command Execution)", "Logic": "Suspicious if Office apps (Word/Excel) spawn PowerShell or CMD.", "Investigation_Steps": "1. Press **Win+R**, type `taskmgr` to see live processes.\n2. In Event Viewer, filter for ID `4688`.\n3. Check the 'Process Command Line' field to see the exact command executed.", "Scenario": "Malicious macro launching a reverse shell.", "Response": "Kill the process tree and isolate the host.", "Remediation": "Enable GPO: 'Include command line in process creation events'.", "Tips": "Essential for catching 'Living off the Land' (LotL) attacks." }, { "ID": "1 (Sysmon)", "Name": "Process Create", "Category": "Sysmon", "Severity": "High", "Source": "Sysmon", "Description": "Detailed process creation with file hashes.", "Win_R": "services.msc", "PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where {$_.ID -eq 1}", "MITRE": "T1204 (User Execution)", "Logic": "New executables running from `Temp` or `AppData` folders.", "Investigation_Steps": "1. Navigate to **Applications and Services > Microsoft > Windows > Sysmon > Operational**.\n2. Filter for ID `1`.\n3. Copy the SHA256 hash and check it on VirusTotal.", "Scenario": "User executes a renamed malware binary.", "Response": "If the hash is malicious, perform memory forensics.", "Remediation": "Use AppLocker to restrict unsigned code.", "Tips": "Sysmon provides the ParentCommandLine, which is vital for context." }, # --- POWERSHELL --- { "ID": "4104", "Name": "PS Script Block", "Category": "PowerShell", "Severity": "Critical", "Source": "PowerShell/Ops", "Description": "Full code executed by PowerShell.", "Win_R": "eventvwr.msc", "PowerShell": "Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' | Where {$_.ID -eq 4104} | Select -ExpandProperty Message", "MITRE": "T1059.001 (PowerShell)", "Logic": "Search for 'Base64', 'IEX', or 'DownloadString'.", "Investigation_Steps": "1. Go to **PowerShell/Operational** log in Event Viewer.\n2. Filter ID `4104`.\n3. Examine the 'ScriptBlock Text'. This captures code even if run in memory.", "Scenario": "Fileless malware executing a Cobalt Strike beacon.", "Response": "Analyze the URL/IP the script is trying to connect to.", "Remediation": "Set Execution Policy to 'AllSigned'.", "Tips": "This log de-obfuscates scripts automatically." }, # --- NETWORK --- { "ID": "5156", "Name": "Network Connection", "Category": "Network", "Severity": "Medium", "Source": "Security", "Description": "Windows Firewall permitted a connection.", "Win_R": "wf.msc", "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=5156} -MaxEvents 50", "MITRE": "T1041 (Exfiltration)", "Logic": "Outbound connections to unknown IPs on non-standard ports (e.g. 4444).", "Investigation_Steps": "1. Press **Win+R**, type `wf.msc` to check Firewall rules.\n2. In Event Viewer, filter Security log for `5156`.\n3. Identify the 'Destination Address'.", "Scenario": "Malware communicating with a C2 server.", "Response": "Block the destination IP at the perimeter.", "Remediation": "Enable Egress filtering.", "Tips": "Requires 'Audit Filtering Platform Connection' to be enabled." }, # --- USER & SYSTEM --- { "ID": "4720", "Name": "User Created", "Category": "User Management", "Severity": "High", "Source": "Security", "Description": "A new user account was created.", "Win_R": "lusrmgr.msc", "PowerShell": "Get-WinEvent -FilterHashtable @{LogName='Security';ID=4720}", "MITRE": "T1136 (Create Account)", "Logic": "Unauthorized account creation for persistence.", "Investigation_Steps": "1. Press **Win+R**, type `lusrmgr.msc` to view local users.\n2. Filter Security log for ID `4720`.\n3. Check 'Subject' (who created the user).", "Scenario": "Attacker creating a backdoor account.", "Response": "Disable the account and audit the creator's activity.", "Remediation": "Limit account creation rights to specific admins.", "Tips": "Look for names that mimic system accounts (e.g., 'SytemAdmin')." } ]