Updated Microsoft-Windows-Security-Auditing

- Added event samples (friendly view and xml)

windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4697.yml

@@ -72,6 +72,29 @@ tags:
 - System
 - Audit Security System Extension
 event_sample:
+- format: friendly view
+  sample: |-
+    Log Name:      Security 
+    Source:        Microsoft-Windows-Security-Auditing 
+    Date:          9/14/2022 8:55:42 PM 
+    Event ID:      4697 
+    Task Category: Security System Extension 
+    Level:         Information 
+    Keywords:      Audit Success 
+    User:          N/A 
+    Computer:      pedro-computer 
+    Description:   A service was installed in the system.
+    Subject: 
+      Security ID:		PEDRO-COMPUTER\pedro-admin 
+      Account Name:		pedro-admin 
+      Account Domain:		PEDRO-COMPUTER 
+      Logon ID:		0x107482C 
+    Service Information: 
+      Service Name: 		PersistentService2 
+      Service File Name:	C:\Users\pedro\AppData\Local\Temp\persistence.exe 
+      Service Type: 		0x10 
+      Service Start Type:	2 
+      Service Account: 		LocalSystem 
 - format: xml
   sample: |-
     <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
@@ -83,23 +106,23 @@ event_sample:
         <Task>12289</Task> 
         <Opcode>0</Opcode> 
         <Keywords>0x8020000000000000</Keywords> 
-        <TimeCreated SystemTime="2022-08-09T02:08:30.109718300Z" /> 
-        <EventRecordID>251716</EventRecordID> 
-        <Correlation ActivityID="{c2f198f9-abad-0000-039a-f1c2adabd801}" /> 
-        <Execution ProcessID="584" ThreadID="640" /> 
+        <TimeCreated SystemTime="2022-09-15T03:55:42.431355000Z" /> 
+        <EventRecordID>234504</EventRecordID> 
+        <Correlation ActivityID="{cf6cb87c-ae9a-0000-91b9-6ccf9aaed801}" /> 
+        <Execution ProcessID="616" ThreadID="7728" /> 
         <Channel>Security</Channel> 
-        <Computer>Pedro01</Computer> 
+        <Computer>pedro-computer</Computer> 
         <Security /> 
       </System> 
       <EventData> 
-        <Data Name="SubjectUserSid">S-1-5-18</Data> 
-        <Data Name="SubjectUserName">PEDRO01$</Data> 
-        <Data Name="SubjectDomainName">WORKGROUP</Data> 
-        <Data Name="SubjectLogonId">0x3e7</Data> 
-        <Data Name="ServiceName">WpnUserService_abae2</Data> 
-        <Data Name="ServiceFileName">C:\Windows\system32\svchost.exe -k UnistackSvcGroup</Data> 
-        <Data Name="ServiceType">0xe0</Data> 
+        <Data Name="SubjectUserSid">S-1-5-21-3768430097-3400800235-1714852860-1001</Data> 
+        <Data Name="SubjectUserName">pedro-admin</Data> 
+        <Data Name="SubjectDomainName">PEDRO-COMPUTER</Data> 
+        <Data Name="SubjectLogonId">0x107482c</Data> 
+        <Data Name="ServiceName">PersistentService2</Data> 
+        <Data Name="ServiceFileName">C:\Users\pedro\AppData\Local\Temp\persistence.exe</Data> 
+        <Data Name="ServiceType">0x10</Data> 
         <Data Name="ServiceStartType">2</Data> 
         <Data Name="ServiceAccount">LocalSystem</Data> 
       </EventData> 
-    </Event>
+    </Event> 

windows/etw-providers/Microsoft-Windows-Security-Auditing/events/event-4698.yml

@@ -53,3 +53,152 @@ tags:
 - etw_task_task_0
 - Object Access
 - Audit Other Object Access Events
+event_sample:
+- format: friendly view
+  sample: |-
+    Log Name:      Security 
+    Source:        Microsoft-Windows-Security-Auditing 
+    Date:          9/12/2022 7:44:00 AM 
+    Event ID:      4698 
+    Task Category: Other Object Access Events 
+    Level:         Information 
+    Keywords:      Audit Success 
+    User:          N/A 
+    Computer:      pedro-computer 
+    Description:   A scheduled task was created. 
+    Subject: 
+      Security ID:		PEDRO-COMPUTER\pedro-admin 
+      Account Name:		pedro-admin 
+      Account Domain:		PEDRO-COMPUTER 
+      Logon ID:		0x10D8F33 
+    Task Information: 
+      Task Name: 		\PERSISTENCE 
+      Task Content: 		<?xml version="1.0" encoding="UTF-16"?> 
+    <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> 
+      <RegistrationInfo> 
+        <Date>2022-09-12T07:44:00</Date> 
+        <Author>PEDRO-COMPUTER\pedro-admin</Author> 
+        <URI>\PERSISTENCE</URI> 
+      </RegistrationInfo> 
+      <Triggers> 
+        <TimeTrigger> 
+          <Repetition> 
+            <Interval>PT1M</Interval> 
+            <StopAtDurationEnd>false</StopAtDurationEnd> 
+          </Repetition> 
+          <StartBoundary>2022-09-12T07:44:00</StartBoundary> 
+          <Enabled>true</Enabled> 
+        </TimeTrigger> 
+      </Triggers> 
+      <Settings> 
+        <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> 
+        <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> 
+        <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> 
+        <AllowHardTerminate>true</AllowHardTerminate> 
+        <StartWhenAvailable>false</StartWhenAvailable> 
+        <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> 
+        <IdleSettings> 
+          <Duration>PT10M</Duration> 
+          <WaitTimeout>PT1H</WaitTimeout> 
+          <StopOnIdleEnd>true</StopOnIdleEnd> 
+          <RestartOnIdle>false</RestartOnIdle> 
+        </IdleSettings> 
+        <AllowStartOnDemand>true</AllowStartOnDemand> 
+        <Enabled>true</Enabled> 
+        <Hidden>false</Hidden> 
+        <RunOnlyIfIdle>false</RunOnlyIfIdle> 
+        <WakeToRun>false</WakeToRun> 
+        <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> 
+        <Priority>7</Priority> 
+      </Settings> 
+      <Actions Context="Author"> 
+        <Exec> 
+          <Command>C:\Users\persistence\persistence.exe</Command> 
+        </Exec> 
+      </Actions> 
+      <Principals> 
+        <Principal id="Author"> 
+          <UserId>PEDRO-COMPUTER\pedro-admin</UserId> 
+          <LogonType>InteractiveToken</LogonType> 
+          <RunLevel>LeastPrivilege</RunLevel> 
+        </Principal> 
+      </Principals> 
+    </Task> 
+- format: xml
+  sample: |-
+    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
+      <System> 
+        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
+        <EventID>4698</EventID> 
+        <Version>0</Version> 
+        <Level>0</Level> 
+        <Task>12804</Task> 
+        <Opcode>0</Opcode> 
+        <Keywords>0x8020000000000000</Keywords> 
+        <TimeCreated SystemTime="2022-09-12T14:44:00.897503800Z" /> 
+        <EventRecordID>140595</EventRecordID> 
+        <Correlation ActivityID="{cf6cb87c-ae9a-0000-91b9-6ccf9aaed801}" /> 
+        <Execution ProcessID="616" ThreadID="7728" /> 
+        <Channel>Security</Channel> 
+        <Computer>pedro-computer</Computer> 
+        <Security /> 
+      </System> 
+      <EventData> 
+        <Data Name="SubjectUserSid">S-1-5-21-3768430097-3400800235-1714852860-1001</Data> 
+        <Data Name="SubjectUserName">pedro-admin</Data> 
+        <Data Name="SubjectDomainName">PEDRO-COMPUTER</Data> 
+        <Data Name="SubjectLogonId">0x10d8f33</Data> 
+        <Data Name="TaskName">\PERSISTENCE</Data> 
+        <Data Name="TaskContent">&lt;?xml version="1.0" encoding="UTF-16"?&gt; 
+          &lt;Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"&gt; 
+            &lt;RegistrationInfo&gt; 
+              &lt;Date&gt;2022-09-12T07:44:00&lt;/Date&gt; 
+              &lt;Author&gt;PEDRO-COMPUTER\pedro-admin&lt;/Author&gt; 
+              &lt;URI&gt;\PERSISTENCE&lt;/URI&gt; 
+            &lt;/RegistrationInfo&gt; 
+            &lt;Triggers&gt; 
+              &lt;TimeTrigger&gt; 
+                &lt;Repetition&gt; 
+                  &lt;Interval&gt;PT1M&lt;/Interval&gt; 
+                  &lt;StopAtDurationEnd&gt;false&lt;/StopAtDurationEnd&gt; 
+                &lt;/Repetition&gt; 
+                &lt;StartBoundary&gt;2022-09-12T07:44:00&lt;/StartBoundary&gt; 
+                &lt;Enabled&gt;true&lt;/Enabled&gt; 
+              &lt;/TimeTrigger&gt; 
+            &lt;/Triggers&gt; 
+            &lt;Settings&gt; 
+              &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+              &lt;DisallowStartIfOnBatteries&gt;true&lt;/DisallowStartIfOnBatteries&gt; 
+              &lt;StopIfGoingOnBatteries&gt;true&lt;/StopIfGoingOnBatteries&gt; 
+              &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; 
+              &lt;StartWhenAvailable&gt;false&lt;/StartWhenAvailable&gt; 
+              &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+              &lt;IdleSettings&gt; 
+                &lt;Duration&gt;PT10M&lt;/Duration&gt; 
+                &lt;WaitTimeout&gt;PT1H&lt;/WaitTimeout&gt; 
+                &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+                &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+              &lt;/IdleSettings&gt; 
+              &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+              &lt;Enabled&gt;true&lt;/Enabled&gt; 
+              &lt;Hidden&gt;false&lt;/Hidden&gt; 
+              &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+              &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+              &lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt; 
+              &lt;Priority&gt;7&lt;/Priority&gt; 
+            &lt;/Settings&gt; 
+            &lt;Actions Context="Author"&gt; 
+              &lt;Exec&gt; 
+                &lt;Command&gt;C:\Users\persistence\persistence.exe&lt;/Command&gt; 
+              &lt;/Exec&gt; 
+            &lt;/Actions&gt; 
+            &lt;Principals&gt; 
+              &lt;Principal id="Author"&gt; 
+                &lt;UserId&gt;PEDRO-COMPUTER\pedro-admin&lt;/UserId&gt; 
+                &lt;LogonType&gt;InteractiveToken&lt;/LogonType&gt; 
+                &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; 
+              &lt;/Principal&gt; 
+            &lt;/Principals&gt; 
+          &lt;/Task&gt;</Data> 
+      </EventData> 
+    </Event>