Column A: Application
Description: Observables associated with the use of applications available to defenders before adversary use and difficult for the adversary to modify.
The Application event robustness category groups observables that are collected closest to applications and are potentially modifiable by the user. For example, Windows provides developers the opportunity to create service providers for tools and applications, which can be used to create detection analytics. Other frameworks can be implemented by a user for needs within their environment. While users might need to download and configure application sensor data, these data are available to the defender before an adversary conducts their attack.
Observables
Category |
Observables |
---|---|
Scheduled Jobs |
Event ID 4698 (Task creation)
Event ID 4699 (Task deletion)
Event ID 4700 (Task enabled)
Event ID 4701 (Task disabled)
Event ID 4702 (Task updated)
|
MSI Installer |
|
Windows Backup |
Event ID 524 (The System Catalog has been deleted) 4
|
Powershell |
Event ID 4104 (Creating Scriptblock text) 5
|
File |
Yara Rules 6
|
Useful resources:
Roberto Rodriguez’s API - To - Event
Jonny Johnson’s TelemetrySource
UltimateWindowsSecurity Event ID Glossary
References