diff --git a/NIST_Data_Leakage_Case/NIST_Data_Leakage_02._WinEvt_XML.pptx b/NIST_Data_Leakage_Case/NIST_Data_Leakage_02._WinEvt_XML.pptx index 42bccad..614a2e6 100644 Binary files a/NIST_Data_Leakage_Case/NIST_Data_Leakage_02._WinEvt_XML.pptx and b/NIST_Data_Leakage_Case/NIST_Data_Leakage_02._WinEvt_XML.pptx differ diff --git a/STIX_external_reference/readme.md b/STIX_external_reference/readme.md index 2591543..e355f6b 100644 --- a/STIX_external_reference/readme.md +++ b/STIX_external_reference/readme.md @@ -1,3 +1,19 @@ +# Cyber-observable Objects for Digital Forensics + +## The goal of the project is to create a list of customized STIX™ Cyber-observable Objects for facilitating digital forensic investigations. We follow the STIX specification for [customizing objects] (https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is: + +- The value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens),
a hyphen and then the name. For example, x-example-com-customobject. + +--- + +## Table of Contents (updating) + +- Case Study + - [Investigating NIST Data Leakage](#Investigating-NIST-Data-Leakage) + - [Investigating Illegal Possession of Images](#Investigating-Illegal-Possession-of-Images) + - [Investigating Email Harassment](#Investigating-Email-Harassment) +- [Tools Used](#Tools-Used) + ## threat-actor-type-ov external reference | Vocabulary Value | Description | @@ -15,29 +31,80 @@ | insider-disgruntled-espionage | | | insider-disgruntled-embarrassing | | | insider-disgruntled-harassing | | -| illegal-possessor | An individual that owns, produces, distributes illegal information and device | +| illegal-possessor | An individual that owns, produces, distributes illegal information and device. | | online- predators | An individual that makes sexual advances to minors. | -## Windows Security Event Object +## Windows Event Object -**Type Name:** x-windows-security-evt +**Type Name:** x-windows-evt ## Properties -| Property Name | Type | Description | -| ------------------ | ---------- | -------------------------------------------------------- | -| type (required) | string | The value of this property MUST be windows-security-evt. | -| id (required) | identifier | The ID of a secuity type | -| level | integer | | -| task | integer | | -| opcode | integer | | -| created (required) | timestamp | | -| record | integer | | -| process | integer | | -| thread | integer | | -| computer | string | The name of the computer | -| user | string | The security user ID | -| belongs_to_ref | identity | The relation describes that the source is a part of file | +| Property Name | Type | Description | +| ------------------------- | ---------- | -------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be windows-security-evt. | +| id (required) | identifier | The ID of a secuity type. | +| log_name (required) | enum | The value of this property MUST come from the log-nam-enum enumeration. | +| logged_time (required) | timestamp | | +| source | string | | +| event_id | integer | | +| task_category | string | | +| computer | string | The name of the computer. | +| user_account_ref | identifier | The user account that is associated with the evewnt. | +| belongs_to_ref (required) | identity | The relation describes that event is a part of file or artifact (e.g., cache, memory). | + +## Relationships + +| Source | Relationship Type | Target | Description | +| ------ | ----------------- | ------ | ----------- | + +## Log Name Enumeration + +**Enumeration Name:** log-name-enum + +| Vocabulary Value | Description | +| ---------------- | ----------- | +| application | | +| security | | +| setup | | +| system | | +| forwarded-events | | + +```json +{ + "type": "x-windows-evt", + "spec_version": "2.1", + "id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "log_name": "security", + "logged_time": "2021-01-06T20:03:00.000Z", + "source": "Microsoft Windows security auditing.", + "event_id": "4624", + "task_category ": "Logon", + "computer": "ryzen3790-xu", + "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb", + "belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a" +} +``` + +## Browser History Event Object + +**Type Name:** x-browser-history-evt + +## Properties + +| Property Name | Type | Description | +| ------------------------- | ---------- | -------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be browser-history. | +| id (required) | identifier | The ID of a browser history record. | +| url | string | | +| title | string | The title of a web page has been visited. | +| visit_time | timestamp | The last time visited. | +| visit_count | integer | The number of times visited | +| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. | +| browser_ref | identifier | The value type for this property SHOULD software. | +| file_requested_ref | identifier | The ID of the file the http requested. | +| user_account_ref | identifier | The user account that is associated with record. | +| belongs_to_ref (required) | identifier | The relation describes that event is a part of file or artifact (e.g., cache, memory). | ## Relationships @@ -46,66 +113,24 @@ ```json { - "type": "x-windows-security-evt", + "type": "x-browser-history-evt", "spec_version": "2.1", - "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", - "created": "2016-04-06T20:03:00.000Z", - "level": 0, - "opcode": 0, - "record": 1101704, - "proces": 58, - "thread": 511, - "Computer": "DC01.contoso.local", - "belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a" + "id": "x-browser-history-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "url": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/", + "title": "B.S. in Cyber Forensics | University of Baltimore", + "visit-time": "2021-01-06T20:03:22.000Z", + "visit-count": 2, + "browser_name": "chrome", + "browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e", + "file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae", + "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb", + "belongs_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f" } ``` -## Browser History Record Object +## Browser Name Open Vocabulary -**Type Name:** x-browser-history-record - -## Properties - -| Property Name | Type | Description | -| ------------------ | ----------------------- | ----------------------------------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be browser-history | -| id (required) | identifier | The ID of a browser history record | -| url | string | | -| title | string | The title of a web page has been visited | -| visit-time | timestamp | | -| visit-count | integer | The number of times visited | -| browser-type | identifier | The values for this property SHOULD come from the browser-type-ov open vocabulary. | -| file-requested_ref | identifier | The ID of the file the requst requested | -| computer | string | The name of the computer | -| user-account | identifier | The user-account that is associated with record | -| belongs_to_ref | list of type identifier | The source of object. The objects referenced in this list MUST be of type file or artifact (e.g., cache, memory). | - -## Relationships - -| Source | Relationship Type | Target | Description | -| ------ | ----------------- | ------ | ----------- | - -```json -{ - "type": "windows-security-evt", - "spec_version": "2.1", - "id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", - "created": "2016-04-06T20:03:00.000Z", - "level": 0, - "opcode": 0, - "record": 1101704, - "proces": 58, - "thread": 511, - "Computer": "DC01.contoso.local", - "belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a" -} -``` - -## Browser Type Open Vocabulary - -Vocabulary Name: browser-type-ov +Vocabulary Name: browser-name-ov | ocabulary Value | Description | | --------------- | ------------------------------ | @@ -128,3 +153,4 @@ Vocabulary Name: browser-type-ov - [Event Logging Structures](https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-structures?redirectedfrom=MSDN) - https://github.com/libyal/libevt/blob/main/documentation/Windows%20Event%20Log%20(EVT)%20format.asciidoc - https://github.com/williballenthin/python-evtx +- https://www.loggly.com/ultimate-guide/windows-logging-basics/#:~:text=The%20Windows%20event%20log%20contains,For%20example%2C%20IIS%20Access%20Logs.