From 4911d9aec31a58eaad6c7e9ceee815cfa48fad75 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 2 Jun 2016 12:28:02 -0700 Subject: [PATCH 1/3] Fixed a typo --- windows/keep-secure/event-4818.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md index fa2b05b2e4..b8c3c13ecd 100644 --- a/windows/keep-secure/event-4818.md +++ b/windows/keep-secure/event-4818.md @@ -131,7 +131,7 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy **Current Central Access Policy results:** - **Access Reasons** \[Type = UnicodeString\]: the list of access check results for Current Access Policy. The format of the result is:

-REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS. +REQUESTED\_ACCESS: RESULT ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS. The possible REQUESTED\_ACCESS values are listed in the table below. @@ -167,7 +167,7 @@ The possible REQUESTED\_ACCESS values are listed in the table below. - Unknown or unchecked -- ACE\_WHICH\_PROVEDED\_OR\_DENIED\_ACCESS: +- ACE\_WHICH\_PROVIDED\_OR\_DENIED\_ACCESS: - Ownership – if access was granted because of ownership of an object. From f62a54ce179f36184ff8a9fe554c6980b0e6a57d Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 2 Jun 2016 13:30:46 -0700 Subject: [PATCH 2/3] Fr Andrei- added Schema info to File Access table --- windows/keep-secure/event-5145.md | 34 +++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md index 2eb14cec90..5db87f7070 100644 --- a/windows/keep-secure/event-5145.md +++ b/windows/keep-secure/event-5145.md @@ -139,23 +139,23 @@ This event generates every time network share object (file or folder) was access ## Table of file access codes -| Access | Hexadecimal Value | Description | -|-----------------------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ReadData (or ListDirectory) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | -| WriteData (or AddFile) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | -| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | -| ReadEA | 0x8 | The right to read extended file attributes. | -| WriteEA | 0x10 | The right to write extended file attributes. | -| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | -| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | -| ReadAttributes | 0x80 | The right to read file attributes. | -| WriteAttributes | 0x100 | The right to write file attributes. | -| DELETE | 0x10000 | The right to delete the object. | -| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | -| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | -| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor | -| SYNCHRONIZE | 0x100000 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | -| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | +| Access | Hex Value,
Schema Value | Description | +|-----------------------------------------------------------|-------------------------------|---------------| +| ReadData (or ListDirectory) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | > Table 13. File access codes. From 185dd7fc07b82a921b8be2a9eead28258031bd5a Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 2 Jun 2016 14:03:05 -0700 Subject: [PATCH 3/3] Andrei's chgs: Schema info in table --- windows/keep-secure/event-4656.md | 34 +++++++++++++++---------------- windows/keep-secure/event-4663.md | 34 +++++++++++++++---------------- windows/keep-secure/event-5145.md | 2 +- 3 files changed, 35 insertions(+), 35 deletions(-) diff --git a/windows/keep-secure/event-4656.md b/windows/keep-secure/event-4656.md index 2ce4deae9e..fbe4f6276e 100644 --- a/windows/keep-secure/event-4656.md +++ b/windows/keep-secure/event-4656.md @@ -165,23 +165,23 @@ This event shows that access was requested, and the results of the request, but - **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary. -| Access | Hexadecimal Value | Description | -|---------------------------------------------------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ReadData (or ListDirectory)

(For registry objects, this is “Query key value.”) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | -| WriteData (or AddFile)

(For registry objects, this is “Set key value.”) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | -| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | -| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8 | The right to read extended file attributes. | -| WriteEA | 0x10 | The right to write extended file attributes. | -| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | -| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | -| ReadAttributes | 0x80 | The right to read file attributes. | -| WriteAttributes | 0x100 | The right to write file attributes. | -| DELETE | 0x10000 | The right to delete the object. | -| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | -| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | -| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor | -| SYNCHRONIZE | 0x100000
| The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | -| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | +| Access | Hexadecimal Value,
Schema Value | Description | +|---------------------------------------------------------------------------------------|-------------------------------------|----------------| +| ReadData (or ListDirectory)

(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile)

(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | > Table 14. File System objects access rights. diff --git a/windows/keep-secure/event-4663.md b/windows/keep-secure/event-4663.md index b61d2cb59a..18fa7b3352 100644 --- a/windows/keep-secure/event-4663.md +++ b/windows/keep-secure/event-4663.md @@ -153,23 +153,23 @@ The main difference with “[4656](event-4656.md): A handle to an object was req - **Accesses** \[Type = UnicodeString\]: the list of access rights which were used by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary. -| Access | Hexadecimal Value | Description | -|----------------------------------------------------------------------------------------------------|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| ReadData (or ListDirectory)

(For registry objects, this is “Query key value.”) | 0x1 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | -| WriteData (or AddFile)

(For registry objects, this is “Set key value.”) | 0x2 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | -| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | -| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8 | The right to read extended file attributes. | -| WriteEA | 0x10 | The right to write extended file attributes. | -| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | -| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | -| ReadAttributes | 0x80 | The right to read file attributes. | -| WriteAttributes | 0x100 | The right to write file attributes. | -| DELETE | 0x10000 | The right to delete the object. | -| READ\_CONTROL | 0x20000 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | -| WRITE\_DAC | 0x40000 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | -| WRITE\_OWNER | 0x80000 | The right to change the owner in the object's security descriptor | -| SYNCHRONIZE | 0x100000
| The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | -| ACCESS\_SYS\_SEC | 0x1000000 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | +| Access | Hex Value,
Schema Value | Description | +|----------------------------------------------------------------------------------------|-----------------------------|---------------------| +| ReadData (or ListDirectory)

(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | +| WriteData (or AddFile)

(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | +| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | +| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | +| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | +| DELETE | 0x10000,
%%1537 | The right to delete the object. | +| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | +| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | +| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | > Table 15. File System objects access rights. diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md index 5db87f7070..defe7dd401 100644 --- a/windows/keep-secure/event-5145.md +++ b/windows/keep-secure/event-5145.md @@ -140,7 +140,7 @@ This event generates every time network share object (file or folder) was access ## Table of file access codes | Access | Hex Value,
Schema Value | Description | -|-----------------------------------------------------------|-------------------------------|---------------| +|-----------------------------------------------------------|----------------------------|---------------| | ReadData (or ListDirectory) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | | WriteData (or AddFile) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | | AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. |