/evtx-baseline

A repository hosting example goodware evtx logs containing sample software installation and basic user interaction

Apache License 2.0Apache-2.0

evtx-baseline

A repository hosting example goodware evtx logs containing sample software installation and basic user interaction

Donations

If you want to donate, create an issue or contact @phantinuss at twitter or keybase (the large files are only organised in releases, not the repo itself)

How the data was produced

  1. Install a Windows VM using a trial license (https://www.microsoft.com/en-us/evalcenter/)
  2. Install Sysmon (http://live.sysinternals.com/tools/Sysmon64.exe) using sysmon-intense.xml which is a fork of Cyb3rWard0g's config
  3. Increase the Sysmon log size to not lose events by log rotation (512MB-1GB were needed for the data in this repo)

image

  1. Activate logging of process creation events

image

  1. Activate logging of process command line

image

  1. Activate Powershell scriptblock Logging

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn On PowerShell Script Block Logging

  1. Install software and simulate interaction

Windows 10 Software and Interaction

Installed Software

(performed by https://ninite.com/)

  • Web Browsers
    • Chrome
    • Opera
    • Firefox
  • File Sharing
  • Compression
    • 7zip
    • WinRAR
  • Messaging
    • Zoom
    • Pidgin
    • Thunderbird
  • Other
    • Evernote
    • Keepass 2
    • Everything
  • Media
    • iTunes
    • VLC
    • Audacity
    • Spotify
  • Runtimes
    • Java (AdoptOpenJDK) x64
    • .NET Runtime x64 5+6
  • Developer Tools
    • Python x64 3
    • Filezilla
    • Notepad++
    • WinSCP
    • PuTTY
    • WinMerge
    • Eclipse
    • VS Code
  • Imaging
    • Paint.NET
    • Gimp
    • IrfanView
    • XnView
    • Inkscape
    • Greenshot
  • Documents
    • Foxit Reader
    • LibreOffice
  • Online Storage
    • Dropbox
    • Google Drive
    • OneDrive
  • Security
  • Utilities
    • Teamviewer
    • WinDirStat

User Interaction

- Surf some Websites
    - Download pdf and open
- Chrome: Download and install MS Office Trial
- Call windirstat
- Make screenshot in greenshot; open in xnview/irfanview
- Execute java --version
- Open Filezilla to bogus ftp
- Open notepad++ sysmon config
- Vscode extension install powershell stuff, python stuff
- Putty to localhost
- Winscp to localhost
- Open Winmerge
- Search with everything
- Pack and extract using 7zip
- Pack and extract using WinRar

Windows 2022 AD Interaction

- Install from ISO
- Install sysmon
- Configure logs
- Connect network
- Add AD role
- Update OS
- Add user1 and user2
- * install win10 for client
- connect  DESTOP-S5D8VB9 to domain
- Add group sigma
- add user1 to sigma group
- login as user2 on destop
- change default GPO to enable powershell log
- gpupdate /force (client too)
- create shareme
- put sysmon64.exe into
- get and push a new file in shareme from client