From 80bb4f3d4390eb33583799a8b11e22b2c4753d10 Mon Sep 17 00:00:00 2001
From: Jose Rodriguez <cyb3rpandah@gmail.com>
Date: Wed, 29 Jun 2022 15:54:22 -0400
Subject: [PATCH] Windows Sysmon Events: Added new dictionary and event samples

Event samples for: 12,13,18,2,22,23
New dictionary including event sample: 26
---
 windows/sysmon/events/event-12.yml | 13 +++++
 windows/sysmon/events/event-13.yml | 14 ++++++
 windows/sysmon/events/event-18.yml | 13 +++++
 windows/sysmon/events/event-2.yml  | 14 ++++++
 windows/sysmon/events/event-22.yml | 14 ++++++
 windows/sysmon/events/event-23.yml | 15 ++++++
 windows/sysmon/events/event-26.yml | 81 ++++++++++++++++++++++++++++++
 7 files changed, 164 insertions(+)
 create mode 100644 windows/sysmon/events/event-26.yml

diff --git a/windows/sysmon/events/event-12.yml b/windows/sysmon/events/event-12.yml
index 176b1bd15..5ab059f5a 100644
--- a/windows/sysmon/events/event-12.yml
+++ b/windows/sysmon/events/event-12.yml
@@ -53,3 +53,16 @@ references:
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/registry-actions.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+      <EventData>
+      <Data Name="RuleName">-</Data>
+      <Data Name="EventType">CreateKey</Data>
+      <Data Name="UtcTime">2022-06-29 18:53:12.949</Data>
+      <Data Name="ProcessGuid">{01e2a015-00dd-62bc-7800-000000000500}</Data>
+      <Data Name="ProcessId">2632</Data>
+      <Data Name="Image">C:\Windows\system32\ctfmon.exe</Data>
+      <Data Name="TargetObject">HKU\S-1-5-21-2073674718-3587034731-622476709-1001\SOFTWARE\Microsoft\Input\TypingInsights</Data>
+      <Data Name="User">DESKTOP-CQF82L6\pedro</Data>
+      </EventData>
\ No newline at end of file
diff --git a/windows/sysmon/events/event-13.yml b/windows/sysmon/events/event-13.yml
index cd9c7137d..323168b1c 100644
--- a/windows/sysmon/events/event-13.yml
+++ b/windows/sysmon/events/event-13.yml
@@ -59,3 +59,17 @@ references:
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/registry-actions.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+      <EventData>
+      <Data Name="RuleName">-</Data>
+      <Data Name="EventType">SetValue</Data>
+      <Data Name="UtcTime">2022-06-29 18:58:42.007</Data>
+      <Data Name="ProcessGuid">{01e2a015-00dd-62bc-7800-000000000500}</Data>
+      <Data Name="ProcessId">2632</Data>
+      <Data Name="Image">C:\Windows\system32\ctfmon.exe</Data>
+      <Data Name="TargetObject">HKU\S-1-5-21-2073674718-3587034731-622476709-1001\SOFTWARE\Microsoft\Input\TypingInsights\Insights</Data>
+      <Data Name="Details">Binary Data</Data>
+      <Data Name="User">DESKTOP-CQF82L6\pedro</Data>
+      </EventData>
\ No newline at end of file
diff --git a/windows/sysmon/events/event-18.yml b/windows/sysmon/events/event-18.yml
index 8841d8a71..072d880f6 100644
--- a/windows/sysmon/events/event-18.yml
+++ b/windows/sysmon/events/event-18.yml
@@ -53,3 +53,16 @@ references:
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/named-pipes.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+      <EventData>
+      <Data Name="RuleName">-</Data>
+      <Data Name="EventType">ConnectPipe</Data>
+      <Data Name="UtcTime">2022-06-29 19:02:29.022</Data>
+      <Data Name="ProcessGuid">{01e2a015-0003-62bc-1b00-000000000500}</Data>
+      <Data Name="ProcessId">676</Data>
+      <Data Name="PipeName">\VBoxTrayIPC-pedro</Data>
+      <Data Name="Image">C:\Windows\System32\VBoxService.exe</Data>
+      <Data Name="User">NT AUTHORITY\SYSTEM</Data>
+      </EventData>
\ No newline at end of file
diff --git a/windows/sysmon/events/event-2.yml b/windows/sysmon/events/event-2.yml
index de2d8b632..360e6e35e 100644
--- a/windows/sysmon/events/event-2.yml
+++ b/windows/sysmon/events/event-2.yml
@@ -59,3 +59,17 @@ references:
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/file-create-time-change.md
 tags: []
+event_sample:
+- format: xml
+  sample: |-
+    <EventData>
+    <Data Name="RuleName">-</Data>
+    <Data Name="UtcTime">2022-06-29 18:37:12.607</Data>
+    <Data Name="ProcessGuid">{01e2a015-752e-62bc-2e03-000000000500}</Data>
+    <Data Name="ProcessId">1836</Data>
+    <Data Name="Image">C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data>
+    <Data Name="TargetFilename">C:\Users\pedro\AppData\Local\Microsoft\Edge\User Data\6403de3a-d41b-499a-85f6-6ca715a2c53e.tmp</Data>
+    <Data Name="CreationUtcTime">2022-06-28 16:50:17.602</Data>
+    <Data Name="PreviousCreationUtcTime">2022-06-29 18:37:12.607</Data>
+    <Data Name="User">DESKTOP-CQF82L6\pedro</Data>
+    </EventData>
\ No newline at end of file
diff --git a/windows/sysmon/events/event-22.yml b/windows/sysmon/events/event-22.yml
index 37e6bb7ca..d962ccf02 100644
--- a/windows/sysmon/events/event-22.yml
+++ b/windows/sysmon/events/event-22.yml
@@ -59,3 +59,17 @@ references:
 - text: TrustedSec Sysmon Community Guide
   link: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/dns-query.md
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+      <EventData>
+      <Data Name="RuleName">-</Data>
+      <Data Name="UtcTime">2022-06-29 19:06:02.389</Data>
+      <Data Name="ProcessGuid">{01e2a015-a2b2-62bc-ab05-000000000500}</Data>
+      <Data Name="ProcessId">3704</Data>
+      <Data Name="QueryName">checkappexec.microsoft.com</Data>
+      <Data Name="QueryStatus">0</Data>
+      <Data Name="QueryResults">type:  5 wd-prod-ss.trafficmanager.net;type:  5 wd-prod-ss-us-west-1-fe.westus.cloudapp.azure.com;::ffff:40.78.63.86;</Data>
+      <Data Name="Image">C:\Windows\System32\smartscreen.exe</Data>
+      <Data Name="User">DESKTOP-CQF82L6\pedro</Data> 
+      </EventData> 
\ No newline at end of file
diff --git a/windows/sysmon/events/event-23.yml b/windows/sysmon/events/event-23.yml
index 6568efce8..2216993e3 100644
--- a/windows/sysmon/events/event-23.yml
+++ b/windows/sysmon/events/event-23.yml
@@ -71,3 +71,18 @@ references:
 - text: Sysmon 11 - FileDelete events
   link: https://medium.com/falconforce/sysmon-11-dns-improvements-and-filedelete-events-7a74f17ca842
 tags: []
+event_sample:
+  - format: xml
+    sample: |-
+      <EventData>
+      <Data Name="RuleName">-</Data>
+      <Data Name="UtcTime">2022-06-29 19:25:26.450</Data>
+      <Data Name="ProcessGuid">{01e2a015-02ee-62bc-0e01-000000000500}</Data>
+      <Data Name="ProcessId">1368</Data>
+      <Data Name="User">NT AUTHORITY\SYSTEM</Data>
+      <Data Name="Image">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2205.7-0\MsMpEng.exe</Data>
+      <Data Name="TargetFilename">C:\ProgramData\Microsoft\Windows Defender\Scans\Scans\History\CacheManager\7A012CB2-69ED-4AFD-BEF6-F12032FAA46E</Data>
+      <Data Name="Hashes">SHA1=A35327FFEBFF1BBA6499C087CD8E1A73C12586E9,MD5=3CEB4359DFE139A2AFF614B7C7AE7DC7,SHA256=895578306B9F70AE5F670564BB039A66B0D77775D98994EE19D2ABEA0876B2D5,IMPHASH=00000000000000000000000000000000</Data>
+      <Data Name="IsExecutable">false</Data>
+      <Data Name="Archived">true</Data>
+      </EventData>
\ No newline at end of file
diff --git a/windows/sysmon/events/event-26.yml b/windows/sysmon/events/event-26.yml
new file mode 100644
index 000000000..82c5e0326
--- /dev/null
+++ b/windows/sysmon/events/event-26.yml
@@ -0,0 +1,81 @@
+name: 'Event ID 26: FileDeleteDetected (File Delete logged)'
+description: A file was deleted.
+platform: windows
+log_source: sysmon
+event_id: '26'
+event_version: '5'
+event_fields:
+- standard_name: tag
+  standard_type: TBD
+  name: RuleName
+  type: string
+  description: custom tag mapped to event. i.e ATT&CK technique ID
+  sample_value: T1114
+- standard_name: event_creation_time
+  standard_type: TBD
+  name: UtcTime
+  type: date
+  description: Time in UTC when event was created
+  sample_value: 4/11/18 6:28
+- standard_name: process_guid
+  standard_type: TBD
+  name: ProcessGuid
+  type: string
+  description: Process Guid of the process that deleted the file
+  sample_value: '{A98268C1-959E-5ACD-0000-0010236E0300}'
+- standard_name: process_id
+  standard_type: TBD
+  name: ProcessId
+  type: integer
+  description: Process ID used by the os to identify the process that deleted the file
+  sample_value: '1896'
+- standard_name: process_file_path
+  standard_type: TBD
+  name: Image
+  type: string
+  description: File path of the process that deleted the file
+  sample_value: C:\WINDOWS\system32\explorer.exe
+- standard_name: user_name
+  standard_type: TBD
+  name: User
+  type: string
+  description: Name of the account who deleted the file.
+  sample_value: DESKTOP-WARDOG\wardog
+- standard_name: file_name
+  standard_type: TBD
+  name: TargetFilename
+  type: string
+  description: full path name of the deleted file
+  sample_value: C:\Users\wardog\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7G23PHTPHSQ3S2RVKKPS.temp
+- standard_name: TBD
+  standard_type: TBD
+  name: Hashes
+  type: string
+  description: Hashes captured by sysmon driver of the deleted file
+  sample_value: SHA1=B0BF5AC2E81BBF597FAD5F349FEEB32CAC449FA2, MD5=6A255BEBF3DBCD13585538ED47DBAFD7, SHA256=4668BB2223FFB983A5F1273B9E3D9FA2C5CE4A0F1FB18CA5C1B285762020073C, IMPHASH=2505BD03D7BD285E50CE89CEC02B333B
+- standard_name: TBD
+  standard_type: TBD
+  name: IsExecutable
+  type: bool
+  description: TBD
+  sample_value: TBD
+references:
+- text: Sysmon Source
+  link: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-a-file-delete-was-detected
+- text: Sysmon 11 - FileDelete events
+  link: https://medium.com/falconforce/sysmon-11-dns-improvements-and-filedelete-events-7a74f17ca842
+tags: []
+event_sample:
+  - format: xml
+    sample: |-
+      <EventData>
+      <Data Name="RuleName">-</Data>
+      <Data Name="UtcTime">2022-06-29 19:34:33.740</Data>
+      <Data Name="ProcessGuid">{01e2a015-0004-62bc-2200-000000000500}</Data>
+      <Data Name="ProcessId">1192</Data>
+      <Data Name="User">NT AUTHORITY\SYSTEM</Data>
+      <Data Name="Image">C:\Windows\system32\svchost.exe</Data>
+      <Data Name="TargetFilename">C:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pf</Data>
+      <Data Name="Hashes">SHA1=7501B6DCEBA3379749BEA17751AF10F41D2A55D1,MD5=6E44A50630221D4F99C0941EC808DC90,SHA256=93B0AD70DA6A6429C78DDED50DEE477A2299EC8D74E76E8E71CE11C5F85F1322,IMPHASH=00000000000000000000000000000000</Data>
+      <Data Name="IsExecutable">false</Data>
+      </EventData>
\ No newline at end of file