From ff7449c4432cb0f3b7908b1b753fb132f8174232 Mon Sep 17 00:00:00 2001 From: eSecRPM Date: Fri, 2 Jul 2021 08:40:13 -0400 Subject: [PATCH 01/16] Cisco-AnyConnect_acvpnagent_2039.map New map to capture Cisco AnyConnect VPN connection established events. --- ...Secure-Mobility-Client_acvpnagent_2039.map | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map new file mode 100644 index 00000000..09951727 --- /dev/null +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map @@ -0,0 +1,36 @@ +Author: esecrpm +Description: Cisco AnyConnect VPN Connection Established +EventId: 2039 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpnagent +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# +# +# +# 2039 +# 4 +# 0 +# 0x80000000000000 +# +# 7188 +# Cisco AnyConnect Secure Mobility Client +# foobar +# +# +# +# The VPN connection has been established and can now pass data. +# +# From d66d7beffe82ae6c1e650428c343e2871caa2553 Mon Sep 17 00:00:00 2001 From: eSecRPM Date: Fri, 2 Jul 2021 08:43:15 -0400 Subject: [PATCH 02/16] Cisco-AnyConnect_acvpnagent_2072.map New map to capture Cisco AnyConnect VPN Active Interface Address. --- ...Secure-Mobility-Client_acvpnagent_2072.map | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map new file mode 100644 index 00000000..e094282c --- /dev/null +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map @@ -0,0 +1,36 @@ +Author: esecrpm +Description: Cisco AnyConnect VPN Active Interface Addresses +EventId: 2072 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpnagent +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# +# +# +# 2072 +# 4 +# 0 +# 0x80000000000000 +# +# 7519 +# Cisco AnyConnect Secure Mobility Client +# foobar +# +# +# +# IP addresses from active interfaces: Ethernet: 10.1.1.1, FE80::1234 +# +# From 668a2b1ac75fcd71e87475b1d93e31c2db1f4d3c Mon Sep 17 00:00:00 2001 From: eSecRPM Date: Fri, 2 Jul 2021 08:56:18 -0400 Subject: [PATCH 03/16] Cisco-AnyConnect_acvpnagent_2079.map New map to capture Cisco AnyConnect VPN Host Configuration, including VPN client public and private addresses. --- ...Secure-Mobility-Client_acvpnagent_2079.map | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map new file mode 100644 index 00000000..b7f911d3 --- /dev/null +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map @@ -0,0 +1,36 @@ +Author: esecrpm +Description: Cisco AnyConnect VPN Host Configuration +EventId: 2079 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpnagent +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# +# +# +# 2079 +# 4 +# 0 +# 0x80000000000000 +# +# 7373 +# Cisco AnyConnect Secure Mobility Client +# foobar +# +# +# +# Host Configuration: Public address: N/A Potential public addresses: Private Address: 10.1.1.1/8 Private IPv6 Address: FE80::1234/126 (auto-generated) Remote Peers: 2.1.1.1 (TCP port 443, UDP port 443), 2.1.1.1 (TCP port 80) Private Networks: none Private IPv6 Networks: none Public Networks: none Public IPv6 Networks: none Tunnel Mode: no Tunnel all DNS: no +# +# From 91cf6c0f44140f8b8d58a8d4184168c1a660a107 Mon Sep 17 00:00:00 2001 From: eSecRPM Date: Fri, 2 Jul 2021 08:58:34 -0400 Subject: [PATCH 04/16] Cisco-AnyConnect_acvpnagent_2085.map New map to capture Cisco AnyConnect VPN client public address. --- ...Secure-Mobility-Client_acvpnagent_2085.map | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map new file mode 100644 index 00000000..2ee62f66 --- /dev/null +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map @@ -0,0 +1,36 @@ +Author: esecrpm +Description: Cisco AnyConnect VPN client's public address +EventId: 2085 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpnagent +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# +# +# +# 2085 +# 4 +# 0 +# 0x80000000000000 +# +# 198651 +# Cisco AnyConnect Secure Mobility Client +# foobar +# +# +# +# The client's public address is now set to 192.168.1.1 +# +# From 3452a4c5158c843a6b3d0a27be40e169daf58a1e Mon Sep 17 00:00:00 2001 From: eSecRPM Date: Fri, 2 Jul 2021 09:01:44 -0400 Subject: [PATCH 05/16] Cisco-AnyConnect_acvpnui_3021.map New map to capture Cisco AnyConnect VPN session established events. --- ...ct-Secure-Mobility-Client_acvpnui_3021.map | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map new file mode 100644 index 00000000..f01301ca --- /dev/null +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map @@ -0,0 +1,36 @@ +Author: esecrpm +Description: Cisco AnyConnect VPN message sent to user +EventId: 3021 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpnui +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# +# +# +# 3021 +# 4 +# 0 +# 0x80000000000000 +# +# 7050 +# Cisco AnyConnect Secure Mobility Client +# foobar +# +# +# +# Message type information sent to the user: Establishing VPN session... +# +# From abde7246891853feccbe45e75063fd956cac223f Mon Sep 17 00:00:00 2001 From: eSecRPM Date: Fri, 2 Jul 2021 09:06:43 -0400 Subject: [PATCH 06/16] Dhcp-Client-Admin_50067.map New map to capture WiFi beacon SSID values. --- ...in_Microsoft-Windows-Dhcp-Client_50067.map | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map diff --git a/evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map b/evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map new file mode 100644 index 00000000..4cf2060e --- /dev/null +++ b/evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map @@ -0,0 +1,51 @@ +Author: esecrpm +Description: Windows DHCP Client WiFi SSID Received +EventId: 50067 +Channel: "Microsoft-Windows-Dhcp-Client/Admin" +Provider: Microsoft-Windows-Dhcp-Client +Maps: + - + Property: PayloadData1 + PropertyValue: "SSID: %PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data[@Name=\"NetworkHint\"]" + Refine: "(?<=, )[^,\\d]+(?=,)" + - + Property: PayloadData2 + PropertyValue: "MAC Address: %PayloadData2%" + Values: + - + Name: PayloadData2 + Value: "/Event/EventData/Data[@Name=\"HWAddress\"]" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# +# +# +# 50067 +# 0 +# 4 +# 3 +# 57 +# 0x4000000000000000 +# +# 30 +# +# +# Microsoft-Windows-Dhcp-Client/Admin +# foobar +# +# +# +# WiFi_SSID +# 576946695F53534944 +# 6 +# 001122334455 +# +# From 3df02a6fa63de228943d793f24ce37cffd1a6767 Mon Sep 17 00:00:00 2001 From: eSecRPM Date: Tue, 6 Jul 2021 07:03:41 -0400 Subject: [PATCH 07/16] Update PrintService_307.map Include both Document Name (requires Group Policy Change) and Printer Port (records full path of print to PDF). --- ...tional_Microsoft-Windows-PrintService_307.map | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map b/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map index d384aa38..48353e07 100644 --- a/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map +++ b/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map @@ -13,25 +13,25 @@ Maps: Value: "/Event/UserData/DocumentPrinted/Param3" - Property: PayloadData2 - PropertyValue: "Print Host: %PrintHost%" - Values: - - - Name: PrintHost - Value: "/Event/UserData/DocumentPrinted/Param4" - - - Property: PayloadData3 PropertyValue: "Printer Name: %PrinterName%" Values: - Name: PrinterName Value: "/Event/UserData/DocumentPrinted/Param5" - - Property: PayloadData4 + Property: PayloadData3 PropertyValue: "Document Name: %DocumentName%" Values: - Name: DocumentName Value: "/Event/UserData/DocumentPrinted/Param2" + - + Property: PayloadData4 + PropertyValue: "Printer Port: %PrinterPort%" + Values: + - + Name: PrinterPort + Value: "/Event/UserData/DocumentPrinted/Param4" - Property: PayloadData5 PropertyValue: "Size in Bytes: %Bytes%" From 39dc69d876128931824a1713fe132836e3c7cdac Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:16:22 -0400 Subject: [PATCH 08/16] Update Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map --- ...Secure-Mobility-Client_acvpnagent_2039.map | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map index 09951727..13a9f423 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map @@ -1,36 +1,36 @@ + Author: esecrpm Description: Cisco AnyConnect VPN Connection Established EventId: 2039 Channel: "Cisco AnyConnect Secure Mobility Client" Provider: acvpnagent -Maps: - - +Maps: + - Property: PayloadData1 PropertyValue: "%PayloadData1%" - Values: - - + Values: + - Name: PayloadData1 Value: "/Event/EventData/Data" Refine: "(?<=, )[^,\\d]+(?=,)" -# Valid properties include: -# -# PayloadData1 - +# Documentation +# N/A +# # # -# -# 2039 -# 4 -# 0 -# 0x80000000000000 -# -# 7188 -# Cisco AnyConnect Secure Mobility Client -# foobar -# +# +# 2039 +# 4 +# 0 +# 0x80000000000000 +# +# 7188 +# Cisco AnyConnect Secure Mobility Client +# foobar +# # # -# The VPN connection has been established and can now pass data. +# The VPN connection has been established and can now pass data. # # From 9d4ccd72e6390617b7e71588cfe2fae7cb5a2187 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:16:58 -0400 Subject: [PATCH 09/16] Update Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map --- ...Secure-Mobility-Client_acvpnagent_2072.map | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map index e094282c..84e1adc3 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2072.map @@ -3,34 +3,33 @@ Description: Cisco AnyConnect VPN Active Interface Addresses EventId: 2072 Channel: "Cisco AnyConnect Secure Mobility Client" Provider: acvpnagent -Maps: - - +Maps: + - Property: PayloadData1 PropertyValue: "%PayloadData1%" - Values: - - + Values: + - Name: PayloadData1 Value: "/Event/EventData/Data" Refine: "(?<=, )[^,\\d]+(?=,)" -# Valid properties include: -# -# PayloadData1 - +# Documentation +# N/A +# # # -# -# 2072 -# 4 -# 0 -# 0x80000000000000 -# -# 7519 -# Cisco AnyConnect Secure Mobility Client -# foobar -# +# +# 2072 +# 4 +# 0 +# 0x80000000000000 +# +# 7519 +# Cisco AnyConnect Secure Mobility Client +# foobar +# # # -# IP addresses from active interfaces: Ethernet: 10.1.1.1, FE80::1234 +# IP addresses from active interfaces: Ethernet: 10.1.1.1, FE80::1234 # # From 6e5e067013f7f75fd95d5bca9f8a0ea89a537e5f Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:17:28 -0400 Subject: [PATCH 10/16] Update Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map --- ...Secure-Mobility-Client_acvpnagent_2079.map | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map index b7f911d3..6c805211 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2079.map @@ -3,34 +3,33 @@ Description: Cisco AnyConnect VPN Host Configuration EventId: 2079 Channel: "Cisco AnyConnect Secure Mobility Client" Provider: acvpnagent -Maps: - - +Maps: + - Property: PayloadData1 PropertyValue: "%PayloadData1%" - Values: - - + Values: + - Name: PayloadData1 Value: "/Event/EventData/Data" Refine: "(?<=, )[^,\\d]+(?=,)" -# Valid properties include: -# -# PayloadData1 - +# Documentation +# N/A +# # # -# -# 2079 -# 4 -# 0 -# 0x80000000000000 -# -# 7373 -# Cisco AnyConnect Secure Mobility Client -# foobar -# +# +# 2079 +# 4 +# 0 +# 0x80000000000000 +# +# 7373 +# Cisco AnyConnect Secure Mobility Client +# foobar +# # # -# Host Configuration: Public address: N/A Potential public addresses: Private Address: 10.1.1.1/8 Private IPv6 Address: FE80::1234/126 (auto-generated) Remote Peers: 2.1.1.1 (TCP port 443, UDP port 443), 2.1.1.1 (TCP port 80) Private Networks: none Private IPv6 Networks: none Public Networks: none Public IPv6 Networks: none Tunnel Mode: no Tunnel all DNS: no +# Host Configuration: Public address: N/A Potential public addresses: Private Address: 10.1.1.1/8 Private IPv6 Address: FE80::1234/126 (auto-generated) Remote Peers: 2.1.1.1 (TCP port 443, UDP port 443), 2.1.1.1 (TCP port 80) Private Networks: none Private IPv6 Networks: none Public Networks: none Public IPv6 Networks: none Tunnel Mode: no Tunnel all DNS: no # # From cbe9090ee40fd2f1f4c8e5aaa1a64517895fb5f4 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:17:55 -0400 Subject: [PATCH 11/16] Update Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map --- ...Secure-Mobility-Client_acvpnagent_2085.map | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map index 2ee62f66..f10150e8 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2085.map @@ -1,36 +1,35 @@ -Author: esecrpm -Description: Cisco AnyConnect VPN client's public address +Author: esecrpm +Description: Cisco AnyConnect VPN client's public address EventId: 2085 Channel: "Cisco AnyConnect Secure Mobility Client" Provider: acvpnagent -Maps: - - +Maps: + - Property: PayloadData1 PropertyValue: "%PayloadData1%" - Values: - - + Values: + - Name: PayloadData1 Value: "/Event/EventData/Data" Refine: "(?<=, )[^,\\d]+(?=,)" -# Valid properties include: -# -# PayloadData1 - +# Documentation +# N/A +# # # -# -# 2085 -# 4 -# 0 -# 0x80000000000000 -# -# 198651 -# Cisco AnyConnect Secure Mobility Client -# foobar -# +# +# 2085 +# 4 +# 0 +# 0x80000000000000 +# +# 198651 +# Cisco AnyConnect Secure Mobility Client +# foobar +# # # -# The client's public address is now set to 192.168.1.1 +# The client's public address is now set to 192.168.1.1 # # From 96bdb8dbff3782dab2ae5c84ae36f43d25d8c23e Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:18:19 -0400 Subject: [PATCH 12/16] Update Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map --- ...isco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map index f01301ca..52a219e6 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map @@ -13,10 +13,9 @@ Maps: Value: "/Event/EventData/Data" Refine: "(?<=, )[^,\\d]+(?=,)" -# Valid properties include: -# -# PayloadData1 - +# Documentation +# N/A +# # # # From e2f55dd647f12c0e3370e12d97bbd188459ea107 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:19:46 -0400 Subject: [PATCH 13/16] Update Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map --- ...in_Microsoft-Windows-Dhcp-Client_50067.map | 59 +++++++++---------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map b/evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map index 4cf2060e..029ce7a1 100644 --- a/evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map +++ b/evtx/Maps/Microsoft-Windows-Dhcp-Client-Admin_Microsoft-Windows-Dhcp-Client_50067.map @@ -3,49 +3,48 @@ Description: Windows DHCP Client WiFi SSID Received EventId: 50067 Channel: "Microsoft-Windows-Dhcp-Client/Admin" Provider: Microsoft-Windows-Dhcp-Client -Maps: - - +Maps: + - Property: PayloadData1 PropertyValue: "SSID: %PayloadData1%" - Values: - - + Values: + - Name: PayloadData1 Value: "/Event/EventData/Data[@Name=\"NetworkHint\"]" Refine: "(?<=, )[^,\\d]+(?=,)" - - + - Property: PayloadData2 PropertyValue: "MAC Address: %PayloadData2%" - Values: - - + Values: + - Name: PayloadData2 Value: "/Event/EventData/Data[@Name=\"HWAddress\"]" - Refine: "(?<=, )[^,\\d]+(?=,)" - -# Valid properties include: -# -# PayloadData1 + Refine: "(?<=, )[^,\\d]+(?=,)" +# Documentation +# N/A +# # # -# -# 50067 -# 0 -# 4 -# 3 -# 57 -# 0x4000000000000000 -# -# 30 -# -# -# Microsoft-Windows-Dhcp-Client/Admin -# foobar -# +# +# 50067 +# 0 +# 4 +# 3 +# 57 +# 0x4000000000000000 +# +# 30 +# +# +# Microsoft-Windows-Dhcp-Client/Admin +# foobar +# # # -# WiFi_SSID -# 576946695F53534944 -# 6 -# 001122334455 +# WiFi_SSID +# 576946695F53534944 +# 6 +# 001122334455 # # From dbc5f86dc1e7c3e95d4ec803638e4f95804006ac Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:20:25 -0400 Subject: [PATCH 14/16] Update Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map --- ...intService-Operational_Microsoft-Windows-PrintService_307.map | 1 - 1 file changed, 1 deletion(-) diff --git a/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map b/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map index 48353e07..7fb9b655 100644 --- a/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map +++ b/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map @@ -49,7 +49,6 @@ Maps: # Documentation: # https://eventlogxp.com/blog/how-to-track-printer-usage-with-event-logs -# # The document name is not recorded in the event record until enabled via Group Policy # https://social.technet.microsoft.com/Forums/ie/en-US/12e60098-1f46-4c6e-8b10-9c816dadb2b2/kb-fix-for-print-document-name-in-event-logs-on-server-2012-and-server-2012r2?forum=winserverprint # From 9d98fac058a177f6d7e9ad925c6eaad660341982 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:21:39 -0400 Subject: [PATCH 15/16] Update Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map --- .../Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map | 1 - 1 file changed, 1 deletion(-) diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map index 13a9f423..4be6fde4 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2039.map @@ -1,4 +1,3 @@ - Author: esecrpm Description: Cisco AnyConnect VPN Connection Established EventId: 2039 From 52977384bf02af93eaf8c6b2ef9a9b71150c495e Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com> Date: Tue, 6 Jul 2021 07:22:05 -0400 Subject: [PATCH 16/16] Update Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map --- ...ct-Secure-Mobility-Client_acvpnui_3021.map | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map index 52a219e6..b2948e37 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnui_3021.map @@ -3,12 +3,12 @@ Description: Cisco AnyConnect VPN message sent to user EventId: 3021 Channel: "Cisco AnyConnect Secure Mobility Client" Provider: acvpnui -Maps: - - +Maps: + - Property: PayloadData1 PropertyValue: "%PayloadData1%" - Values: - - + Values: + - Name: PayloadData1 Value: "/Event/EventData/Data" Refine: "(?<=, )[^,\\d]+(?=,)" @@ -18,18 +18,18 @@ Maps: # # # -# -# 3021 -# 4 -# 0 -# 0x80000000000000 -# -# 7050 -# Cisco AnyConnect Secure Mobility Client -# foobar -# +# +# 3021 +# 4 +# 0 +# 0x80000000000000 +# +# 7050 +# Cisco AnyConnect Secure Mobility Client +# foobar +# # # -# Message type information sent to the user: Establishing VPN session... +# Message type information sent to the user: Establishing VPN session... # #