Upload files to "Modules/Knowledge/SANS"

Modules/Knowledge/SANS/event_analysis.py

@@ -0,0 +1,57 @@
+def get_content():
+    """
+    Returns structured content for Windows event log analysis.
+    """
+    return [
+        {
+            "title": "Important Event IDs",
+            "content": """
+- Logon Events: 4624, 4634, 4672.
+- Administrative Shares: 5140.
+- RDP Session Events: 4778, 4779.
+            """
+        },
+        {
+            "title": "PowerShell Logs",
+            "content": """
+- 4104: Script block logging.
+- Transcript logs: Logs all commands and their output.
+            """
+        },
+        {
+            "title": "System Logs for Analysis",
+            "content": """
+- Security Logs: Detect process execution.
+- Application Logs: Identify crashes and anomalies.
+            """
+        },
+        {
+            "title": "Key Event IDs",
+            "content": """
+- 4624: Logon method (e.g., console, network, RDP).
+- 4672: Logon with admin privileges.
+- 5140: Identifies administrative shares potentially mounted by attackers.
+            """
+        },
+        {
+            "title": "RDP Events",
+            "content": """
+- TerminalServices-RDPClient: Logs destination hostname/IP for outgoing RDP sessions.
+- 4778/4779: Tracks reconnect and disconnect events, including remote machine IP and hostname.
+            """
+        },
+        {
+            "title": "System and Application Logs",
+            "content": """
+- Useful for identifying malware execution through warning and error events.
+- Security Logs: Can track process execution, file access, and PsExec usage.
+            """
+        },
+        {
+            "title": "PowerShell Event Logs",
+            "content": """
+- Event 4104: Logs PowerShell script block execution.
+- Transcript logs: Capture all commands typed and their output.
+            """
+        }
+    ]