wazuh.jochheim-edv.de

1514 tcp aes 20

yes yes DE495140S00001 Autohaus-Mense no 5000 500 Application eventchannel Security eventchannel Event/System[ EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 ] System eventchannel active-response\active-responses.log syslog no ./shared/win_applications_rcl.txt ./shared/win_malware_rcl.txt yes yes 12h yes no 3600 %WINDIR% %WINDIR%\SysNative %WINDIR%\SysNative\drivers\etc %WINDIR%\SysNative\wbem %WINDIR%\SysNative\WindowsPowerShell\v1.0 %WINDIR%\SysNative %WINDIR%\System32 %WINDIR%\System32\drivers\etc %WINDIR%\System32\wbem %WINDIR%\System32\WindowsPowerShell\v1.0 %WINDIR%\System32 %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini .log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KDC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\Software\Classes\batfile HKEY_LOCAL_MACHINE\Software\Classes\cmdfile HKEY_LOCAL_MACHINE\Software\Classes\comfile HKEY_LOCAL_MACHINE\Software\Classes\exefile HKEY_LOCAL_MACHINE\Software\Classes\piffile HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects HKEY_LOCAL_MACHINE\Software\Classes\Directory HKEY_LOCAL_MACHINE\Software\Classes\Folder HKEY_LOCAL_MACHINE\Software\Classes\Protocols HKEY_LOCAL_MACHINE\Software\Policies HKEY_LOCAL_MACHINE\Security HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Security\Policy\Secrets HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users \Enum$ HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final 60 10 50 yes 5m 10 no yes 3600 yes no yes sha256 100 C:\Windows\NTDS C:\Windows\SYSVOL C:\Windows\System32 C:\Windows\SysWOW64 C:\Program Files C:\Program Files (x86) C:\Windows\System32 no 1h yes yes yes yes yes yes yes yes yes yes yes 10 no 1h yes yes yes yes yes yes yes yes yes yes 10 yes 1800 1d

yes

\\server\jre\bin\java.exe C:\cis-cat yes yes C:\Program Files\osquery\osqueryd C:\Program Files\osquery\log\osqueryd.results.log C:\Program Files\osquery\osquery.conf yes

no wpk_root.pem yes

plain