Merge pull request #58 from forensenellanebbia/master

New maps for Citrix events
EricZimmerman · Dec 24, 2020 · b85d5b8 · b85d5b8
2 parents 8b9cc80 + 43564f6
commit b85d5b8
Show file tree

Hide file tree

Showing 6 changed files with 192 additions and 6 deletions.
diff --git a/evtx/Maps/Application_Citrix-Desktop-Service_1027.map b/evtx/Maps/Application_Citrix-Desktop-Service_1027.map
@@ -0,0 +1,45 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Citrix user session started
+EventId: 1027
+Channel: Application
+Provider: "Citrix Desktop Service"
+Maps: 
+  - 
+    Property: Username
+    PropertyValue: "Target: %user%"
+    Values: 
+      - 
+        Name: user
+        Value: "/Event/EventData/Data"
+        Refine: "^.*(?=, )"
+  - 
+    Property: PayloadData1
+    PropertyValue: "SessionID: %SessionID%"
+    Values: 
+      - 
+        Name: SessionID
+        Value: "/Event/EventData/Data"
+        Refine: "[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}"
+
+# Documentation:
+# https://discussions.citrix.com/topic/342198-xendesktop-7-interactive-session-slows-logon/page/9/
+#
+# Example Event Data:
+# <Event>
+  # <System>
+    # <Provider Name="Citrix Desktop Service" />
+    # <EventID Qualifiers="16384">1027</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-10-07 08:19:49.0000000" />
+    # <EventRecordID>359095</EventRecordID>
+    # <Channel>Application</Channel>
+    # <Computer>hostname</Computer>
+    # <Security />
+  # </System>
+  # <EventData>
+    # <Data>remoteuser, 1234abcd-12ab-12ab-12ab-123456abcdef</Data>
+    # <Binary></Binary>
+  # </EventData>
+# </Event>
diff --git a/evtx/Maps/Application_Citrix-Desktop-Service_1049.map b/evtx/Maps/Application_Citrix-Desktop-Service_1049.map
@@ -0,0 +1,37 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Citrix user session disconnected
+EventId: 1049
+Channel: Application
+Provider: "Citrix Desktop Service"
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "SessionID: %SessionID%"
+    Values: 
+      - 
+        Name: SessionID
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://computergarage.org/citrix-desktop-service-eventid-1049-the-session-was-disconnected.html
+#
+# Example Event Data:
+# <Event>
+  # <System>
+    # <Provider Name="Citrix Desktop Service" />
+    # <EventID Qualifiers="16384">1049</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-10-26 17:22:45.0000000" />
+    # <EventRecordID>3590389</EventRecordID>
+    # <Channel>Application</Channel>
+    # <Computer>hostname</Computer>
+    # <Security />
+  # </System>
+  # <EventData>
+    # <Data>1234abcd-12ab-12ab-12ab-123456abcdef</Data>
+    # <Binary></Binary>
+  # </EventData>
+# </Event>
+
diff --git a/evtx/Maps/Application_MetaFrameEvents_1106.map b/evtx/Maps/Application_MetaFrameEvents_1106.map
@@ -0,0 +1,46 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Citrix client printer auto-creation failed
+EventId: 1106
+Channel: Application
+Provider: MetaFrameEvents
+Maps:
+  - 
+    Property: RemoteHost
+    PropertyValue: "%ClientName%"
+    Values: 
+      - 
+        Name: ClientName
+        Value: "/Event/EventData/Data"
+        Refine: "^[a-z0-9-]*"        
+  - 
+    Property: PayloadData1
+    PropertyValue: "Printer: %Printer%"
+    Values: 
+      - 
+        Name: Printer
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, ).*"
+
+# Documentation:
+# https://support.citrix.com/article/CTX137114
+#
+# Example Event Data:
+# <Event>
+  # <System>
+    # <Provider Name="MetaFrameEvents" />
+    # <EventID Qualifiers="49152">1106</EventID>
+    # <Level>3</Level>
+    # <Task>2</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-10-24 14:50:50.0000000" />
+    # <EventRecordID>3587921</EventRecordID>
+    # <Channel>Application</Channel>
+    # <Computer>hostname</Computer>
+    # <Security />
+  # </System>
+  # <EventData>
+    # <Data>NOTEBOOK, Brother PC-FAX v.3.2 #2 (from NOTEBOOK) in session 2, Brother PC-FAX v.3.2</Data>
+    # <Binary></Binary>
+  # </EventData>
+# </Event>
+
diff --git a/evtx/Maps/Application_WSH_0.map b/evtx/Maps/Application_WSH_0.map
@@ -0,0 +1,36 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Windows Script Host (WSH)
+EventId: 0
+Channel: Application
+Provider: WSH
+Maps:
+  - 
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values: 
+      - 
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+
+# Documentation:
+# http://www.eventid.net/display-eventid-0-source-WSH-eventno-3533-phase-1.htm
+#
+# Example Event Data:
+# <Event>
+  # <System>
+    # <Provider Name="WSH" />
+    # <EventID Qualifiers="0">0</EventID>
+    # <Level>0</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-10-03 15:26:28.0000000" />
+    # <EventRecordID>359861</EventRecordID>
+    # <Channel>Application</Channel>
+    # <Computer>hostname</Computer>
+    # <Security />
+  # </System>
+  # <EventData>
+    # <Data></Data>
+    # <Binary></Binary>
+  # </EventData>
+# </Event>
diff --git a/...vices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map b/...vices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map
@@ -23,10 +23,32 @@ Maps:
 # Documentation:
 # Windows Event ID 1029 Hashes: https://nullsec.us/windows-event-id-1029-hashes/
 # CyberChef recipes to calculate the same encoded value from a known username
-#   Windows 7 : Base64(SHA1(UserName))
-#    - https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA1()From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
-#   Windows 10: Base64(SHA256(UserName))
-#    - https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA2('256')From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
+#   OS     : Windows 7 / Windows Server 2008 R2
+#   Hash   : Base64(SHA1(UserName))
+#   Recipe : https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA1()From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
+#            Example: 
+#              Input  = administrator
+#              Output = /6UN2Oco6V2sEKuooAIuzrrOUrk=
+#   
+#   OS    : Windows 10
+#   Hash  : Base64(SHA256(UserName))
+#   Recipe: https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA2('256')From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
+#           Example:
+#              Input  = administrator
+#              Output = WAlZ81aqzLQmoWEfQivmPQwJxIm/XQcDjplQdjznr5E=
+#
+#  If you need to decode a large number of encoded values, try my recipe for CyberChef. These are the steps to follow:
+#  1) Copy and paste the following recipe into CyberChef:
+#  Compact JSON:
+#   [{"op":"Unique","args":["Line feed"]},{"op":"Fork","args":["\\n","\\n",false]},{"op":"Find / Replace","args":[{"option":"Regex","string":"-\\\\-"},"",true,false,true,false]},{"op":"Find / Replace","args":[{"option":"Regex","string":"(User Name|Payload Data.|Target: |Target \\(encoded\\).*| \\(S\\-.*\\)|NETWORK SERVICE)"},"",true,false,true,false]},{"op":"Find / Replace","args":[{"option":"Regex","string":"(^.*\\\\|S-[0-9\\-]*)"},"",true,false,true,false]},{"op":"Register","args":["([\\s\\S]*)",true,false,false]},{"op":"Decode text","args":["UTF-8 (65001)"]},{"op":"Encode text","args":["UTF-16LE (1200)"]},{"op":"SHA1","args":[],"disabled":true},{"op":"SHA2","args":["256"]},{"op":"From Hex","args":["Space"]},{"op":"To Base64","args":["A-Za-z0-9+/="]},{"op":"Register","args":["([\\s\\S]*)",true,false,false]},{"op":"Find / Replace","args":[{"option":"Simple string","string":"$R1"},"$R1,$R0",true,false,true,false]},{"op":"Merge","args":[]},{"op":"Unique","args":["Line feed"]},{"op":"Sort","args":["Line feed",false,"Alphabetical (case insensitive)"]},{"op":"To Table","args":[",","\\r\\n",false,"HTML"]}]
+#  2) From CyberChef, disable or remove the hash operation (SHA1 or SHA2) that you don't need
+#  3) From Timeline Explorer:
+#      - Column "User Name"    : copy all the non-blank values
+#      - Column "Payload Data1": copy all the values containing "Target:"
+#  4) Paste what you just copied into the input area of CyberChef (no need to clean or dedupe the input before pasting)
+#  5) Bake!
+#
+# Articles:
 # https://cyber-tls.blogspot.com/2019/08/rdp.html
 # https://social.technet.microsoft.com/wiki/contents/articles/37847.rdp-direct-connection-with-nla-remote-desktop-client-event-logs.aspx
 # https://nullsec.us/windows-rdp-related-event-logs-the-client-side-of-the-story/

diff --git a/evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map b/evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map
@@ -14,12 +14,12 @@ Maps:
         Refine: "(?<=File: ).*(?= by: )"
   - 
     Property: PayloadData1
-    PropertyValue: "%PayloadData1%"
+    PropertyValue: "Risk: %PayloadData1%"
     Values: 
       - 
         Name: PayloadData1
         Value: "/Event/EventData/Data"
-        Refine: "^.*(?= in File:)"
+        Refine: "(?<=Security Risk Found! ).*(?= in File:)"
   - 
     Property: PayloadData2
     PropertyValue: "%PayloadData2%"