Column A: Application

Description: Observables associated with the use of applications available to defenders before adversary use and difficult for the adversary to modify.

The Application event robustness category groups observables that are collected closest to applications and are potentially modifiable by the user. For example, Windows provides developers the opportunity to create service providers for tools and applications, which can be used to create detection analytics. Other frameworks can be implemented by a user for needs within their environment. While users might need to download and configure application sensor data, these data are available to the defender before an adversary conducts their attack.

Observables

Category

Observables

Scheduled Jobs

Event ID 4698 (Task creation)
Event ID 4699 (Task deletion)
Event ID 4700 (Task enabled)
Event ID 4701 (Task disabled)
Event ID 4702 (Task updated)

MSI Installer

Event ID 1040 (Generic Service Resource Availability) 1
Event ID 1042 (Generic Service Resource Availability) 2
Event ID 1033 (Windows Installer Application Installation) 3

Windows Backup

Event ID 524 (The System Catalog has been deleted) 4

Powershell

Event ID 4104 (Creating Scriptblock text) 5

File

Yara Rules 6

Useful resources:

References

1

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc773449%28v=ws.10%29

2

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc773487%28v=ws.10%29

3

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735566%28v=ws.10%29

4

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc734301%28v=ws.10%29

5

https://www.myeventlog.com/search/show/980

6

https://yara.readthedocs.io/en/stable/writingmodules.html