Merge pull request #3 from EricZimmerman/master

update repo

evtx/Maps/!!!!README.md

@@ -208,3 +208,7 @@ Edit 1_Security_4624.map and make your changes
 When the maps are loaded, since 1_Security_4624.map comes before 4624.map, only the one with your changes will be loaded.
 
 This also allows you to update default maps without having your customizations blown away every time there is an update.
+
+TIPS:
+
+If you are looking to make an Application.evtx map, please includence a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add

evtx/Maps/Application_10002.map

@@ -0,0 +1,66 @@
+Author: Hyun Yi @hyuunnn
+Description: Terminated due to non-response
+EventId: 10002
+Channel: "Application"
+Provider: "Microsoft-Windows-RestartManager"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "FullPath: %FullPath%"
+    Values:
+      -
+        Name: FullPath
+        Value: "/Event/UserData/RmApplicationEvent/FullPath"
+  -
+    Property: PayloadData2
+    PropertyValue: "DisplayName: %DisplayName%"
+    Values:
+      -
+        Name: DisplayName
+        Value: "/Event/UserData/RmApplicationEvent/DisplayName"
+  -
+    Property: PayloadData3
+    PropertyValue: "Files: %Files%"
+    Values:
+      -
+        Name: Files
+        Value: "/Event/UserData/RmApplicationEvent/Files/File[text()]"
+
+# Valid properties include:
+
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Microsoft-Windows-RestartManager" Guid="{GUID}" /> 
+#     <EventID>10002</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x8000000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-12-06T08:21:49.5722615Z" /> 
+#     <EventRecordID>21064</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="8860" ThreadID="17736" /> 
+#     <Channel>Application</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security UserID="{UserID}" /> 
+#   </System>
+#   <UserData>
+#     <RmApplicationEvent xmlns="http://www.microsoft.com/2005/08/Windows/Reliability/RestartManager/">
+#         <RmSessionId>0</RmSessionId> 
+#         <FullPath>RealPlayerUpdateSvc.exe</FullPath> 
+#         <DisplayName>RealPlayer Update Service</DisplayName> 
+#         <AppVersion>0</AppVersion> 
+#         <AppType>3</AppType> 
+#         <TSSessionId>0</TSSessionId> 
+#         <Status>262146</Status> 
+#         <Pid>4220</Pid> 
+#         <nFiles>3</nFiles> 
+#         <Files>
+#             <File>C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe</File> 
+#             <File>C:\Program Files (x86)\Real\UpdateService\RealDownloaderUpdatePlugin.dll</File> 
+#             <File>C:\Program Files (x86)\Real\UpdateService\VideoDLUpdatePlugin.dll</File> 
+#         </Files>
+#     </RmApplicationEvent>
+#   </UserData>
+# </Event>

evtx/Maps/Application_1002.map

@@ -0,0 +1,47 @@
+Author: Hyun Yi @hyuunnn
+Description: The program has been terminated.
+EventId: 1002
+Channel: "Application"
+Provider: "Application Hang"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Data: %Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data[text()]"
+
+# Valid properties include:
+
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Application Hang" /> 
+#     <EventID Qualifiers="0">1002</EventID> 
+#     <Version>0</Version> 
+#     <Level>2</Level> 
+#     <Task>101</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x80000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-10-24T20:28:45.1914826Z" /> 
+#     <EventRecordID>6529</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="0" ThreadID="0" /> 
+#     <Channel>Application</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security /> 
+#   </System>
+#   <EventData>
+#     <Data>FTK Imager.exe</Data> 
+#     <Data>4.5.0.3</Data> 
+#     <Data>19e4</Data> 
+#     <Data>01d6a8f4a7784904</Data> 
+#     <Data>80</Data> 
+#     <Data>C:\Program Files\AccessData\FTK Imager\FTK Imager.exe</Data> 
+#     <Data>Value</Data> 
+#     <Data /> 
+#     <Data /> 
+#     <Data>Unknown</Data> 
+#     <Binary>{Binary}</Binary> 
+#   </EventData>
+# </Event>

evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map

@@ -0,0 +1,58 @@
+Author: Hyun Yi @hyuunnn
+Description: USB Connection
+EventId: 2100
+Channel: "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "InstanceId: %InstanceId%"
+    Values:
+      -
+        Name: InstanceId
+        Value: "/Event/UserData/UMDFHostDeviceRequest/InstanceId"
+  -
+    Property: PayloadData2
+    PropertyValue: "LifetimeId: %LifetimeId%"
+    Values:
+      -
+        Name: LifetimeId
+        Value: "/Event/UserData/UMDFHostDeviceRequest/LifetimeId"
+
+# Valid properties include:
+
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{GUID}" /> 
+#     <EventID>2100</EventID> 
+#     <Version>1</Version> 
+#     <Level>4</Level> 
+#     <Task>37</Task> 
+#     <Opcode>1</Opcode> 
+#     <Keywords>0x8000000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-12-06T08:47:21.6579567Z" /> 
+#     <EventRecordID>27</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="2184" ThreadID="8936" /> 
+#     <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security UserID="S-1-5-19" /> 
+#   </System>
+#   <UserData>
+#     <UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
+#         <LifetimeId>{Value}</LifetimeId> 
+#         <InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.27#{Value}&0#{Value}</InstanceId> 
+#         <RequestMajorCode>27</RequestMajorCode> 
+#         <RequestMinorCode>0</RequestMinorCode> 
+#         <Argument1>0x0</Argument1> 
+#         <Argument2>0x0</Argument2> 
+#         <Argument3>0x0</Argument3> 
+#         <Argument4>0x0</Argument4> 
+#         <Status>3221225659</Status> 
+#     </UMDFHostDeviceRequest>
+#   </UserData>
+# </Event>
+# 
+# Windows Vista, 7 : enable (default)
+# Windows 8~ : disable (default)
+# https://nxlog.co/documentation/nxlog-user-guide/windows-usb-auditing.html
+# https://www.reddit.com/r/sysadmin/comments/4dr2t2/security_guy_wants_to_log_usb_storage_devices_on/

evtx/Maps/System_6008.map

@@ -0,0 +1,43 @@
+Author: Hyun Yi @hyuunnn
+Description: Unexpected system shutdown
+EventId: 6008
+Channel: "System"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Time, Date : %Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+
+# Valid properties include:
+
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="EventLog" /> 
+#     <EventID Qualifiers="32768">6008</EventID> 
+#     <Version>0</Version> 
+#     <Level>2</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x80000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-11-14T00:54:37.9394794Z" /> 
+#     <EventRecordID>6329</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="0" ThreadID="0" /> 
+#     <Channel>System</Channel> 
+#     <Computer>Computer</Computer> 
+#     <Security /> 
+#   </System>
+#   <EventData>
+#     <Data>PM 3:32:54</Data> 
+#     <Data>‎2020-‎11-‎13</Data> 
+#     <Data /> 
+#     <Data /> 
+#     <Data>520643</Data> 
+#     <Data /> 
+#     <Data /> 
+#     <Binary>{Binary}</Binary> 
+#   </EventData>
+# </Event>