58 lines
1.7 KiB
Python
58 lines
1.7 KiB
Python
def get_content():
|
|
"""
|
|
Returns structured content for Windows event log analysis.
|
|
"""
|
|
return [
|
|
{
|
|
"title": "Important Event IDs",
|
|
"content": """
|
|
- Logon Events: 4624, 4634, 4672.
|
|
- Administrative Shares: 5140.
|
|
- RDP Session Events: 4778, 4779.
|
|
"""
|
|
},
|
|
{
|
|
"title": "PowerShell Logs",
|
|
"content": """
|
|
- 4104: Script block logging.
|
|
- Transcript logs: Logs all commands and their output.
|
|
"""
|
|
},
|
|
{
|
|
"title": "System Logs for Analysis",
|
|
"content": """
|
|
- Security Logs: Detect process execution.
|
|
- Application Logs: Identify crashes and anomalies.
|
|
"""
|
|
},
|
|
{
|
|
"title": "Key Event IDs",
|
|
"content": """
|
|
- 4624: Logon method (e.g., console, network, RDP).
|
|
- 4672: Logon with admin privileges.
|
|
- 5140: Identifies administrative shares potentially mounted by attackers.
|
|
"""
|
|
},
|
|
{
|
|
"title": "RDP Events",
|
|
"content": """
|
|
- TerminalServices-RDPClient: Logs destination hostname/IP for outgoing RDP sessions.
|
|
- 4778/4779: Tracks reconnect and disconnect events, including remote machine IP and hostname.
|
|
"""
|
|
},
|
|
{
|
|
"title": "System and Application Logs",
|
|
"content": """
|
|
- Useful for identifying malware execution through warning and error events.
|
|
- Security Logs: Can track process execution, file access, and PsExec usage.
|
|
"""
|
|
},
|
|
{
|
|
"title": "PowerShell Event Logs",
|
|
"content": """
|
|
- Event 4104: Logs PowerShell script block execution.
|
|
- Transcript logs: Capture all commands typed and their output.
|
|
"""
|
|
}
|
|
]
|