From aacc3c58bfaacb61f69749c62c0d651fdee8f6be Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Thu, 7 Mar 2024 21:39:04 +0100 Subject: [PATCH] Update windows.yaml --- artifacts/data/windows.yaml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/artifacts/data/windows.yaml b/artifacts/data/windows.yaml index 68c5dd8d..a75549d3 100644 --- a/artifacts/data/windows.yaml +++ b/artifacts/data/windows.yaml @@ -3499,6 +3499,20 @@ sources: supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- +name: WindowsXMLEventLogPowerShell +doc: PowerShell Windows XML Event Logs. +sources: +- type: FILE + attributes: + paths: + - '%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx' + - '%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx' + - '%%environ_systemroot%%\System32\winevt\Logs\PowerShellCore Operational.evtx' + - '%%environ_systemroot%%\System32\winevt\Logs\Windows PowerShell.evtx' + separator: '\' +supported_os: [Windows] +urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] +--- name: WindowsXMLEventLogSecurity doc: Security Windows XML Event Log. sources: @@ -3539,20 +3553,6 @@ sources: supported_os: [Windows] urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] --- -name: WindowsPowerShellLogs -doc: Windows PowerShell Logs -sources: -- type: FILE - attributes: - paths: - - '%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx' - - '%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx' - - '%%environ_systemroot%%\System32\winevt\Logs\PowerShellCore Operational.evtx' - - '%%environ_systemroot%%\System32\winevt\Logs\Windows PowerShell.evtx' - separator: '\' -supported_os: [Windows] -urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html'] ---- name: WinSock2LayeredServiceProviders doc: Used to filter TCP/IP traffic through WinSock2. sources: