Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added ScreenConnect event log artifacts. #38

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Added ScreenConnect event log artifacts. #38

wants to merge 6 commits into from

Conversation

acgabbert
Copy link

Hey team, feel free to let me know if any files should be removed from this PR - was unsure if you want just the YAML file in the commit, or everything that changed.

Thanks!

@nasbench
Copy link
Member

nasbench commented Oct 8, 2024

Hey @acgabbert only the Yamls need to be changed, the rest is generated.

@acgabbert
Copy link
Author

Thanks @nasbench ! Updated the PR accordingly

Koifman
Koifman reviewed Oct 12, 2024
View reviewed changes
yaml/screenconnect.yaml Outdated Show resolved Hide resolved
Koifman
Koifman reviewed Oct 12, 2024
View reviewed changes
yaml/screenconnect.yaml Outdated Show resolved Hide resolved
Koifman
Koifman reviewed Oct 12, 2024
View reviewed changes
yaml/screenconnect.yaml Outdated Show resolved Hide resolved
Koifman
Koifman reviewed Oct 12, 2024
View reviewed changes
yaml/screenconnect.yaml Outdated Show resolved Hide resolved
Koifman
Koifman reviewed Oct 12, 2024
View reviewed changes
yaml/screenconnect.yaml Outdated Show resolved Hide resolved
@acgabbert
Copy link
Author

Hey @Koifman , thanks for taking a look. I've made some updates and additions to this PR.

nasbench
nasbench requested changes Nov 16, 2024
View reviewed changes
yaml/screenconnect.yaml
Comment on lines +58 to +73
- EventID: 20
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: Logs network information (e.g. connection created successfully, connection attempt failed)
- EventID: 100
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: User connected
- EventID: 101
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: User disconnected
- EventID: 200
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: Executed command on host
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just FYI the fields aren't standard but are related to the provider, so no "Service Name" for example because that's related to EID 7045.
In this case you need to provide the message that is shown in the event log in the data field or a specific field.

For me to evaluate this i need to see the logs. The blog that you linked in the reference doesn't contain refs to those EIDs. So please if you could provide the data for me to review that would be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Koifman Koifman Koifman left review comments

@nasbench nasbench nasbench requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
author input required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@acgabbert @nasbench @Koifman