/
win10softwareinstall.toml
67 lines (55 loc) · 2.54 KB
/
win10softwareinstall.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#This is the template for What2Log entries
# Meta data about this w2l entry
title = "Software Installed"
W2L_schema = 1
author = "Flynn Weeks"
##author.organization = "InfoSec Innovations"
##credits = [ "Mick Douglas", "Tee Cure" ]
release.version = "Ash"
release.date = 2021-09-08
category = "Application"
tags = ["Application Activity"]
# About this log type
suggested_log_level = "Minimum" #Minimum, Ideal, Extreme, or Special Case
source.os = [ "Windows 10" , "Windows 7" ] # App.os if application logs
source.service = "Microsoft Windows security auditing."
source.log = "Application"
default_enabled = true
collect_reason = """\
Many attacks rely on software being installed and this log \
can signal who and what installed the software that may cause \
a vulnerability. It can also be used to make sure that only authorized \
apps are being installed.
"""
# Additional References Go Here
references = [
"https://docs.microsoft.com/en-us/windows/win32/msi/event-logging"
]# repeat as needed
# Log Pile
[log_pile]
language = "Powershell" #Language for Log Pile
view_logs = """Get-WinEvent -FilterHashTable @{LogName='Application';ID='11707'} -MaxEvents 1 | Format-List""" #How to view log
# Compliance & framework information
# Format is level and reference under the header [compliance.name]
# Only include relevant frameworks
[compliance.HIPAA]
level = "Recommended" # Compliance requirement
reference = "https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es" # Reference for compliance
# repeat as needed
#Enabled by default-section removed
# View via GUI
[[GUI.view]]
img = "/SoftwareInstall/WEV.png"
txt = """Changes made to a security group are automatically logged and \
can be viewed in the application tab of the Event Viewer. However, it is \
important to note windows only logs events that are done through the \
MsiInstaller in this log. To view these logs, sort or filter by event ID 11707."""
# repeat as needed
# View via CLI
[[CLI.view]]
img = "/SoftwareInstall/CLI-gwe.png"
txt = """To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command ```Get-WinEvent -FilterHashTable @{LogName='Application';ID='11707'} -MaxEvents 1 | Format-List```"""
[[CLI.view]]
img = "/SoftwareInstall/CLI-wevt.png"
txt = 'To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command```wevtutil qe Application "/q:*[System [(EventID=11707)]]" /f:text /c:1```'
# repeat as needed