forked from degenerat3/Sawmill
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDataGuidelines.txt
48 lines (33 loc) · 963 Bytes
/
DataGuidelines.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Types/format of data ingested into Sawmill:
Credential: Chainsaw
VictimIP
CredType
Username
Password
Example: Chainsaw CREDENTIAL 8.8.8.8 system root ChangeMe123
Hosts/Hosts6: Chainsaw
VictimIP
HostIPAd
Hostname
Example: Chainsaw HOSTS 8.8.8.8 1.2.3.4 server.com
Route: Chainsaw
VictimIP
RouteInfo
Example: Chainsaw ROUTE 8.8.8.8 1.2.3.4 via 127.0.0.1 dev lo
Firewall/iptables: Chainsaw
VictimIP
FwRules
Example: Chainsaw FIREWALL 8.8.8.8 iptables -t -j DROP
Keystrokes: Chainsaw(probably?)
VictimIP
Keystrokes
Example: Chainsaw KEYSTROKE 8.8.8.8 whatever data\nwe\npassword\nenter\n
BoxAccess: pwnboard, deathnote, reclaimer
VictimIP
AccessMessage
Example: Reclaimer BOXACCESS 8.8.8.8 box accessed using GG exploit
// Any generic logging that can be searched later. C2's and redteam servers can use this for the
Generic Logs: ??
Message
EVERYTHING STARTS WITH:
<APPLICATION> <TYPE>