Merge pull request #9 from mpilking/master

bunch of new maps
EricZimmerman · Jun 9, 2019 · f2d6766 · f2d6766
2 parents 10964af + 3a6777a
commit f2d6766
Show file tree

Hide file tree

Showing 16 changed files with 1,008 additions and 0 deletions.
diff --git a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map
@@ -0,0 +1,44 @@
+Author: Mike Pilkington
+Description: Application Experience Program Telemetry
+EventId: 500
+Channel: "Microsoft-Windows-Application-Experience/Program-Telemetry"
+Maps:
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ExePath%"
+    Values: 
+      - 
+        Name: ExePath
+        Value: "/Event/UserData/CompatibilityFixEvent/ExePath" 
+  - 
+    Property: PayloadData1
+    PropertyValue: "ProcessId: %ProcessId%"
+    Values: 
+      - 
+        Name: ProcessId
+        Value: "/Event/UserData/CompatibilityFixEvent/ProcessId"
+  - 
+    Property: PayloadData2
+    PropertyValue: "StartTime: %StartTime%"
+    Values: 
+      - 
+        Name: StartTime
+        Value: "/Event/UserData/CompatibilityFixEvent/StartTime"
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#  <UserData>
+#    <CompatibilityFixEvent>
+#      <ProcessId>3724</ProcessId>
+#      <StartTime>2019-03-19 20:48:33.4095392</StartTime>
+#      <FixID>8a23a24a-9a8d-44b6-a6d4-556c53a289b5</FixID>
+#      <Flags>0x10205</Flags>
+#      <ExePath>C:\Windows\System32\osk.exe</ExePath>
+#      <FixName>CorrectFilePaths</FixName>
+#    </CompatibilityFixEvent>
+#  </UserData>
diff --git a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map b/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map
@@ -0,0 +1,44 @@
+Author: Mike Pilkington
+Description: Application Experience Program Telemetry
+EventId: 505
+Channel: "Microsoft-Windows-Application-Experience/Program-Telemetry"
+Maps:
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ExePath%"
+    Values: 
+      - 
+        Name: ExePath
+        Value: "/Event/UserData/CompatibilityFixEvent/ExePath" 
+  - 
+    Property: PayloadData1
+    PropertyValue: "ProcessId: %ProcessId%"
+    Values: 
+      - 
+        Name: ProcessId
+        Value: "/Event/UserData/CompatibilityFixEvent/ProcessId"
+  - 
+    Property: PayloadData2
+    PropertyValue: "StartTime: %StartTime%"
+    Values: 
+      - 
+        Name: StartTime
+        Value: "/Event/UserData/CompatibilityFixEvent/StartTime"
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#  <UserData>
+#    <CompatibilityFixEvent>
+#      <ProcessId>3724</ProcessId>
+#      <StartTime>2019-03-19 20:48:33.4095392</StartTime>
+#      <FixID>8a23a24a-9a8d-44b6-a6d4-556c53a289b5</FixID>
+#      <Flags>0x10205</Flags>
+#      <ExePath>C:\Windows\System32\osk.exe</ExePath>
+#      <FixName>CorrectFilePaths</FixName>
+#    </CompatibilityFixEvent>
+#  </UserData>
diff --git a/evtx/Maps/Microsoft-Windows-WinRM_169.map b/evtx/Maps/Microsoft-Windows-WinRM_169.map
@@ -0,0 +1,31 @@
+Author: Mike Pilkington
+Description: WinRM Authentication
+EventId: 169
+Channel: "Microsoft-Windows-WinRM/Operational"
+Maps:
+  - 
+    Property: Username
+    PropertyValue: "%username%"
+    Values: 
+      - 
+        Name: username
+        Value: "/Event/EventData/Data[@Name=\"username\"]" 
+  - 
+    Property: PayloadData1
+    PropertyValue: "AuthenticationMechanism: %authenticationMechanism%"
+    Values: 
+      - 
+        Name: authenticationMechanism
+        Value: "/Event/EventData/Data[@Name=\"authenticationMechanism\"]"
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#  <EventData>
+#    <Data Name="username">iewin7\ieuser</Data>
+#    <Data Name="authenticationMechanism">NTLM</Data>
+#  </EventData>
diff --git a/evtx/Maps/Security_4661.map b/evtx/Maps/Security_4661.map
@@ -0,0 +1,69 @@
+Author: Mike Pilkington
+Description: Handle requested to an object 
+EventId: 4661
+Channel: Security
+Maps: 
+  - 
+    Property: Username
+    PropertyValue: "%domain%\\%user%"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "ObjectServer: %ObjectServer%"
+    Values: 
+      - 
+        Name: ObjectServer
+        Value: "/Event/EventData/Data[@Name=\"ObjectServer\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "ObjectType: %ObjectType%"
+    Values: 
+      - 
+        Name: ObjectType
+        Value: "/Event/EventData/Data[@Name=\"ObjectType\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "ObjectName: %ObjectName%"
+    Values: 
+      - 
+        Name: ObjectName
+        Value: "/Event/EventData/Data[@Name=\"ObjectName\"]"
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ProcessName%"
+    Values: 
+      - 
+        Name: ProcessName
+        Value: "/Event/EventData/Data[@Name=\"ProcessName\"]"
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#  <EventData>
+#    <Data Name="SubjectUserSid">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+#    <Data Name="SubjectUserName">administrator</Data>
+#    <Data Name="SubjectDomainName">EXAMPLE</Data>
+#    <Data Name="SubjectLogonId">0x4FD77</Data>
+#    <Data Name="ObjectServer">Security Account Manager</Data>
+#    <Data Name="ObjectType">SAM_DOMAIN</Data>
+#    <Data Name="ObjectName">DC=example,DC=corp</Data>
+#    <Data Name="HandleId">0x14C7B8AB0</Data>
+#    <Data Name="TransactionId">00000000-0000-0000-0000-000000000000</Data>
+#    <Data Name="AccessList">%%1537, %%1538, %%1539, %%1540, %%5392, %%5393, %%5394, %%5395, %%5396, %%5397, %%5398, %%5399, %%5400, </Data>
+#    <Data Name="AccessMask">0x2D</Data>
+#    <Data Name="PrivilegeList">ǿ, -</Data>
+#    <Data Name="Properties">---, {19195a5a-6da0-11d0-afd3-00c04fd930c9}, %%1537, %%1538, %%1539, %%1540, %%5392, %%5393, %%5394, %%5395, %%5396, %%5397, %%5398, %%5399, %%5400, {c7407360-20bf-11d0-a768-00aa006e0529}, {bf9679a4-0de6-11d0-a285-00aa003049e2}, {bf9679a5-0de6-11d0-a285-00aa003049e2}, {bf9679a6-0de6-11d0-a285-00aa003049e2}, {bf9679bb-0de6-11d0-a285-00aa003049e2}, {bf9679c2-0de6-11d0-a285-00aa003049e2}, {bf9679c3-0de6-11d0-a285-00aa003049e2}, {bf967a09-0de6-11d0-a285-00aa003049e2}, {bf967a0b-0de6-11d0-a285-00aa003049e2}, {b8119fd0-04f6-4762-ab7a-4986c76b3f9a}, {bf967a34-0de6-11d0-a285-00aa003049e2}, {bf967a33-0de6-11d0-a285-00aa003049e2}, {bf9679c5-0de6-11d0-a285-00aa003049e2}, {bf967a61-0de6-11d0-a285-00aa003049e2}, {bf967977-0de6-11d0-a285-00aa003049e2}, {bf96795e-0de6-11d0-a285-00aa003049e2}, {bf9679ea-0de6-11d0-a285-00aa003049e2}, {ab721a52-1e2f-11d0-9819-00aa0040529b}, </Data>
+#    <Data Name="RestrictedSidCount">0</Data>
+#    <Data Name="ProcessId">0x1C4</Data>
+#    <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Security_4662.map b/evtx/Maps/Security_4662.map
@@ -0,0 +1,60 @@
+Author: Mike Pilkington
+Description: Operation performed on an object 
+EventId: 4662
+Channel: Security
+Maps: 
+  - 
+    Property: Username
+    PropertyValue: "%domain%\\%user%"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "ObjectServer: %ObjectServer%"
+    Values: 
+      - 
+        Name: ObjectServer
+        Value: "/Event/EventData/Data[@Name=\"ObjectServer\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "ObjectType: %ObjectType%"
+    Values: 
+      - 
+        Name: ObjectType
+        Value: "/Event/EventData/Data[@Name=\"ObjectType\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "ObjectName: %ObjectName%"
+    Values: 
+      - 
+        Name: ObjectName
+        Value: "/Event/EventData/Data[@Name=\"ObjectName\"]"
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#  <EventData>
+#    <Data Name="SubjectUserSid">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+#    <Data Name="SubjectUserName">bob</Data>
+#    <Data Name="SubjectDomainName">insecurebank</Data>
+#    <Data Name="SubjectLogonId">0x40F2719</Data>
+#    <Data Name="ObjectServer">DS</Data>
+#    <Data Name="ObjectType">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
+#    <Data Name="ObjectName">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
+#    <Data Name="OperationType">Object Access</Data>
+#    <Data Name="HandleId">0x0</Data>
+#    <Data Name="AccessList">%%1539, </Data>
+#    <Data Name="AccessMask">0x40000</Data>
+#    <Data Name="Properties">%%1539, {19195a5b-6da0-11d0-afd3-00c04fd930c9}, </Data>
+#    <Data Name="AdditionalInfo">-</Data>
+#    <Data Name="AdditionalInfo2"></Data>
+#  </EventData>
diff --git a/evtx/Maps/Security_4663.map b/evtx/Maps/Security_4663.map
@@ -0,0 +1,65 @@
+Author: Mike Pilkington
+Description: Attempt was made to access an object 
+EventId: 4663
+Channel: Security
+Maps: 
+  - 
+    Property: Username
+    PropertyValue: "%domain%\\%user%"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "ObjectServer: %ObjectServer%"
+    Values: 
+      - 
+        Name: ObjectServer
+        Value: "/Event/EventData/Data[@Name=\"ObjectServer\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "ObjectType: %ObjectType%"
+    Values: 
+      - 
+        Name: ObjectType
+        Value: "/Event/EventData/Data[@Name=\"ObjectType\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "ObjectName: %ObjectName%"
+    Values: 
+      - 
+        Name: ObjectName
+        Value: "/Event/EventData/Data[@Name=\"ObjectName\"]"
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ProcessName%"
+    Values: 
+      - 
+        Name: ProcessName
+        Value: "/Event/EventData/Data[@Name=\"ProcessName\"]"
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#  <EventData>
+#    <Data Name="SubjectUserSid">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+#    <Data Name="SubjectUserName">IEUser</Data>
+#    <Data Name="SubjectDomainName">IEWIN7</Data>
+#    <Data Name="SubjectLogonId">0xFFA8</Data>
+#    <Data Name="ObjectServer">Security</Data>
+#    <Data Name="ObjectType">File</Data>
+#    <Data Name="ObjectName">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+#    <Data Name="HandleId">0x50</Data>
+#    <Data Name="AccessList">%%4416, </Data>
+#    <Data Name="AccessMask">0x1</Data>
+#    <Data Name="ProcessId">0x134C</Data>
+#    <Data Name="ProcessName">C:\Users\Defau1t\wsus.exe</Data>
+#  </EventData>
diff --git a/evtx/Maps/Security_4698.map b/evtx/Maps/Security_4698.map
@@ -0,0 +1,45 @@
+Author: Mike Pilkington
+Description: Scheduled task created
+EventId: 4698
+Channel: Security
+Maps: 
+  - 
+    Property: Username
+    PropertyValue: "%domain%\\%user%"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "TaskName: %TaskName%"
+    Values: 
+      - 
+        Name: TaskName
+        Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "TaskContent: %TaskContent%"
+    Values: 
+      - 
+        Name: TaskContent
+        Value: "/Event/EventData/Data[@Name=\"TaskContent\"]"
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#  <EventData>
+#    <Data Name="SubjectUserSid">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+#    <Data Name="SubjectUserName">Administrator</Data>
+#    <Data Name="SubjectDomainName">EXAMPLE</Data>
+#    <Data Name="SubjectLogonId">0x17E2D2</Data>
+#    <Data Name="TaskName">\CYAlyNSS</Data>
+#    <Data Name="TaskContent">&amp;lt;?xml version="1.0" encoding="UTF-16"?&amp;gt;, &amp;lt;Task version="1.2"&amp;gt;,     &amp;lt;Exec&amp;gt;,       &amp;lt;Command&amp;gt;cmd.exe&amp;lt;/Command&amp;gt;,       &amp;lt;Arguments&amp;gt;/C tasklist &amp;amp;gt; %windir%\Temp\CYAlyNSS.tmp 2&amp;amp;gt;&amp;amp;amp;1&amp;lt;/Arguments&amp;gt;,     &amp;lt;/Exec&amp;gt;,   &amp;lt;/Actions&amp;gt;, &amp;lt;/Task&amp;gt;</Data>
+#  </EventData>