Merge pull request #51 from rathbuna/master

Standardization of Map Naming Convention, Update README

evtx/Maps/!!!!README.md

@@ -88,21 +88,23 @@ It is that simple! Be sure to surround things in double quotes and/or escape quo
 
 NOTE! The filenames for maps should be in the following format:
 
-Channel_EventID.map
+Channel-Name_Provider-Name_EventID.map
 
-Where Channel is EXACTLY what is in the XML <Channel> element with any '/' characters replaced with an underscore.
+Where Channel is EXACTLY what is in the XML <Channel> element with any '/' characters, hyphens, or spaces replaced with a hyphen. Hyphens are the catch all for each element of the map filename. 
 
-For example, for Event ID '201' and Channel 'Microsoft-Windows-TaskScheduler/Operational' the file should be named:
+Only underscores should separate each element (Channel Name, Provider Name, EventID). Hyphens separates words. Underscores separate elements. 
 
-`Microsoft-Windows-TaskScheduler_Operational_201.map`
+For example, for Event ID '201' and Channel 'Microsoft-Windows-TaskScheduler/Operational' the file should be named:
 
-As of v06 or so, you can also add optional properties `Provider` and `Lookups`
+`Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map`
 
-Provider is used at the header level and looks like this:
+`Provider` is now mandatory. Provider is used at the header level and looks like this:
 
 `Provider: "Microsoft-Windows-Power-Troubleshooter"`
 
-This lets you further narrow down when a map will be used. See System_1.map for an example.
+This lets you further narrow down when a map will be used. Every map will have a working example of this now.
+
+As of v06 or so, you can also add optional properties such as `Lookups`.
 
 Lookups allow you to define lookup tables that match one value and replace them with another. Here is an example, also from System_1.map:
 
@@ -211,4 +213,4 @@ This also allows you to update default maps without having your customizations b
 
 TIPS:
 
-If you are looking to make an Application.evtx map, please includence a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add
+If you are looking to make an Application.evtx map, please include a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add

evtx/Maps/Application_MsiInstaller_10002.map

@@ -0,0 +1,66 @@
+Author: Hyun Yi @hyuunnn
+Description: Terminated due to non-response
+EventId: 10002
+Channel: "Application"
+Provider: "Microsoft-Windows-RestartManager"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "FullPath: %FullPath%"
+    Values:
+      -
+        Name: FullPath
+        Value: "/Event/UserData/RmApplicationEvent/FullPath"
+  -
+    Property: PayloadData2
+    PropertyValue: "DisplayName: %DisplayName%"
+    Values:
+      -
+        Name: DisplayName
+        Value: "/Event/UserData/RmApplicationEvent/DisplayName"
+  -
+    Property: PayloadData3
+    PropertyValue: "Files: %Files%"
+    Values:
+      -
+        Name: Files
+        Value: "/Event/UserData/RmApplicationEvent/Files/File[text()]"
+
+# Valid properties include:
+
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Microsoft-Windows-RestartManager" Guid="{GUID}" /> 
+#     <EventID>10002</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x8000000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-12-06T08:21:49.5722615Z" /> 
+#     <EventRecordID>21064</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="8860" ThreadID="17736" /> 
+#     <Channel>Application</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security UserID="{UserID}" /> 
+#   </System>
+#   <UserData>
+#     <RmApplicationEvent xmlns="http://www.microsoft.com/2005/08/Windows/Reliability/RestartManager/">
+#         <RmSessionId>0</RmSessionId> 
+#         <FullPath>RealPlayerUpdateSvc.exe</FullPath> 
+#         <DisplayName>RealPlayer Update Service</DisplayName> 
+#         <AppVersion>0</AppVersion> 
+#         <AppType>3</AppType> 
+#         <TSSessionId>0</TSSessionId> 
+#         <Status>262146</Status> 
+#         <Pid>4220</Pid> 
+#         <nFiles>3</nFiles> 
+#         <Files>
+#             <File>C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe</File> 
+#             <File>C:\Program Files (x86)\Real\UpdateService\RealDownloaderUpdatePlugin.dll</File> 
+#             <File>C:\Program Files (x86)\Real\UpdateService\VideoDLUpdatePlugin.dll</File> 
+#         </Files>
+#     </RmApplicationEvent>
+#   </UserData>
+# </Event>

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map → evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2048.map

@@ -1,37 +1,37 @@
-Author: Mike Brewer 
-Description: Cisco AnyConnect VPN encrypted connection type
-EventId: 2048
-Channel: "Cisco AnyConnect Secure Mobility Client"
-Provider: acvpnagent
-Maps: 
-  - 
-    Property: PayloadData1
-    PropertyValue: "%PayloadData1%"
-    Values: 
-      - 
-        Name: PayloadData1
-        Value: "/Event/EventData/Data"
-        Refine: "(?<=, )[^,\\d]+(?=,)"
-
-# Valid properties include:
-# 
-# PayloadData1
-
-# <Event>
-  # <System>
-    # <Provider Name="acvpnagent" />
-    # <EventID Qualifiers="25600">2048</EventID>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Keywords>0x80000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
-    # <EventRecordID>32685</EventRecordID>
-    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
-    # <Computer>My-Laptop123.domain.local</Computer>
-    # <Security />
-  # </System>
-    # <EventData>
-      #<Data>A SSL connection has been established using cipher AES256-SHA256</Data>
-        # <Binary></Binary>
-        # </EventData>
-    # </Event>
+Author: Mike Brewer 
+Description: Cisco AnyConnect VPN encrypted connection type
+EventId: 2048
+Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values: 
+      - 
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, )[^,\\d]+(?=,)"
+
+# Valid properties include:
+# 
+# PayloadData1
+
+# <Event>
+  # <System>
+    # <Provider Name="acvpnagent" />
+    # <EventID Qualifiers="25600">2048</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
+    # <EventRecordID>32685</EventRecordID>
+    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
+    # <Computer>My-Laptop123.domain.local</Computer>
+    # <Security />
+  # </System>
+    # <EventData>
+      #<Data>A SSL connection has been established using cipher AES256-SHA256</Data>
+        # <Binary></Binary>
+        # </EventData>
+    # </Event>

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map → evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2086.map

@@ -1,37 +1,37 @@
-Author: Mike Brewer 
-Description: Cisco AnyConnect VPN reading host's IP 
-EventId: 2085
-Channel: "Cisco AnyConnect Secure Mobility Client"
-Provider: acvpnagent
-Maps: 
-  - 
-    Property: PayloadData1
-    PropertyValue: "%PayloadData1%"
-    Values: 
-      - 
-        Name: PayloadData1
-        Value: "/Event/EventData/Data"
-        Refine: "(?<=, )[^,\\d]+(?=,)"
-
-# Valid properties include:
-# 
-# PayloadData1
-
-# <Event>
-  # <System>
-    # <Provider Name="acvpnagent" />
-    # <EventID Qualifiers="25600">2085</EventID>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Keywords>0x80000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
-    # <EventRecordID>32628</EventRecordID>
-    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
-    # <Computer>My-Laptop123.domain.local</Computer>
-    # <Security />
-  # </System>
-    # <EventData>
-      #<Data>The client's public address is now set to 192.168.1.235</Data>
-        # <Binary></Binary>
-        # </EventData>
-    # </Event>
+Author: Mike Brewer 
+Description: Cisco AnyConnect VPN reading host's IP 
+EventId: 2085
+Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values: 
+      - 
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, )[^,\\d]+(?=,)"
+
+# Valid properties include:
+# 
+# PayloadData1
+
+# <Event>
+  # <System>
+    # <Provider Name="acvpnagent" />
+    # <EventID Qualifiers="25600">2085</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
+    # <EventRecordID>32628</EventRecordID>
+    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
+    # <Computer>My-Laptop123.domain.local</Computer>
+    # <Security />
+  # </System>
+    # <EventData>
+      #<Data>The client's public address is now set to 192.168.1.235</Data>
+        # <Binary></Binary>
+        # </EventData>
+    # </Event>

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map → evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpndownloader_5005.map

@@ -1,37 +1,37 @@
-Author: Mike Brewer 
-Description: Cisco AnyConnect VPN connecting to target gateway X
-EventId: 5005
-Channel: "Cisco AnyConnect Secure Mobility Client"
-Provider: acvpndownloader
-Maps: 
-  - 
-    Property: PayloadData1
-    PropertyValue: "%PayloadData1%"
-    Values: 
-      - 
-        Name: PayloadData1
-        Value: "/Event/EventData/Data"
-        Refine: "(?<=, )[^,\\d]+(?=,)"
-
-# Valid properties include:
-# 
-# PayloadData1
-
-# <Event>
-  # <System>
-    # <Provider Name="acvpndownloader" />
-    # <EventID Qualifiers="25600">5005</EventID>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Keywords>0x80000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
-    # <EventRecordID>32628</EventRecordID>
-    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
-    # <Computer>My-Laptop123.domain.local</Computer>
-    # <Security />
-  # </System>
-    # <EventData>
-      #<Data>Connecting to mdgegtwy1.acme.com.</Data>
-        # <Binary></Binary>
-        # </EventData>
+Author: Mike Brewer 
+Description: Cisco AnyConnect VPN connecting to target gateway X
+EventId: 5005
+Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpndownloader
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values: 
+      - 
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, )[^,\\d]+(?=,)"
+
+# Valid properties include:
+# 
+# PayloadData1
+
+# <Event>
+  # <System>
+    # <Provider Name="acvpndownloader" />
+    # <EventID Qualifiers="25600">5005</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
+    # <EventRecordID>32628</EventRecordID>
+    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
+    # <Computer>My-Laptop123.domain.local</Computer>
+    # <Security />
+  # </System>
+    # <EventData>
+      #<Data>Connecting to mdgegtwy1.acme.com.</Data>
+        # <Binary></Binary>
+        # </EventData>
     # </Event>

evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_28115.map

@@ -0,0 +1,46 @@
+Author: Hyun Yi @hyuunnn
+Description: Shortcut creation log after program installation
+EventId: 28115
+Channel: "Microsoft-Windows-Shell-Core/Operational"
+Provider: "Microsoft-Windows-Shell-Core"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Name: %Name%"
+    Values:
+      -
+        Name: Name
+        Value: "/Event/EventData/Data[@Name=\"Name\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "AppID: %AppID%"
+    Values:
+      -
+        Name: AppID
+        Value: "/Event/EventData/Data[@Name=\"AppID\"]"
+
+# Valid properties include:
+
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Microsoft-Windows-Shell-Core" Guid="{GUID}" /> 
+#     <EventID>28115</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>28141</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x2000000000010000</Keywords> 
+#     <TimeCreated SystemTime="2020-11-29T17:03:44.1365879Z" /> 
+#     <EventRecordID>10313</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="8472" ThreadID="7628" /> 
+#     <Channel>Microsoft-Windows-Shell-Core/Operational</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security UserID="{UserID}" /> 
+#   </System>
+#   <EventData>
+#     <Data Name="Name">Neo4j Desktop</Data> 
+#     <Data Name="AppID">com.neo4j.neo4j-desktop</Data> 
+#     <Data Name="Flags">17</Data> 
+#   </EventData>
+# </Event>

evtx/Maps/Security_4799.map → evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4799.map

@@ -1,5 +1,5 @@
 Author: Andrew Rathbun
-Description:  A security-enabled local group membership was enumerated 
+Description: A security-enabled local group membership was enumerated 
 EventId: 4799
 Channel: Security
 Provider: Microsoft-Windows-Security-Auditing

evtx/Maps/System_10000.map → evtx/Maps/System_Microsoft-Windows-DriverFrameworks-UserMode_10000.map

@@ -3,7 +3,6 @@ Description: Device driver was installed. (Device was connected.)
 EventId: 10000
 Channel: "System"
 Provider: "Microsoft-Windows-DriverFrameworks-UserMode"
-Provider: Microsoft-Windows-DriverFrameworks-UserMode
 Maps:
   -
     Property: PayloadData1