From d0029d1a3ff92bf5e68dca39b67833b0804492bc Mon Sep 17 00:00:00 2001
From: Brian <54725471+bmackalicious@users.noreply.github.com>
Date: Mon, 24 Feb 2020 17:43:29 -0500
Subject: [PATCH] Add files via upload
---
Windows_Powershell_400.map | 69 ++++++++++++++++++++++++++++++++++++++
Windows_Powershell_403.map | 69 ++++++++++++++++++++++++++++++++++++++
Windows_Powershell_600.map | 68 +++++++++++++++++++++++++++++++++++++
3 files changed, 206 insertions(+)
create mode 100644 Windows_Powershell_400.map
create mode 100644 Windows_Powershell_403.map
create mode 100644 Windows_Powershell_600.map
diff --git a/Windows_Powershell_400.map b/Windows_Powershell_400.map
new file mode 100644
index 00000000..7256a366
--- /dev/null
+++ b/Windows_Powershell_400.map
@@ -0,0 +1,69 @@
+Author: Brian MacKenna
+Description: Engine state is changed from None to Available.
+EventId: 400
+Channel: Windows PowerShell
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "%HostApplication%"
+ Values:
+ -
+ Name: HostApplication
+ Value: "/Event/EventData/Data"
+ Refine: "HostApplication=(.+)"
+ -
+ Property: PayloadData2
+ PropertyValue: "%HostName%"
+ Values:
+ -
+ Name: HostName
+ Value: "/Event/EventData/Data"
+ Refine: "HostName=(.+)"
+ -
+ Property: PayloadData3
+ PropertyValue: "%HostVersion%"
+ Values:
+ -
+ Name: HostVersion
+ Value: "/Event/EventData/Data"
+ Refine: "HostVersion=(.+)"
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+# Example XML for this event:
+#
+#
+#
+# 400
+# 4
+# 6
+# 0x80000000000000
+#
+# 18
+# Windows PowerShell
+# name.domain.tld
+#
+#
+#
+# Available, None, NewEngineState=Available
+# PreviousEngineState=None
+#
+# SequenceNumber=13
+#
+# HostName=ConsoleHost
+# HostVersion=5.1.18362.145
+# HostId=3820a72c-10dc-4989-9388-3d4b6523c35f
+# HostApplication=powershell -nop -w hidden -encodedcommand JAB...(bad command stuff removed)...ADsA
+# EngineVersion=5.1.18362.145
+# RunspaceId=b21e91e8-9068-48ae-ac10-15430944932b
+# PipelineId=
+# CommandName=
+# CommandType=
+# ScriptName=
+# CommandPath=
+# CommandLine=
+#
+#
+#
\ No newline at end of file
diff --git a/Windows_Powershell_403.map b/Windows_Powershell_403.map
new file mode 100644
index 00000000..c67d5647
--- /dev/null
+++ b/Windows_Powershell_403.map
@@ -0,0 +1,69 @@
+Author: Brian MacKenna
+Description: Engine state is changed from Available to Stopped.
+EventId: 403
+Channel: Windows PowerShell
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "%HostApplication%"
+ Values:
+ -
+ Name: HostApplication
+ Value: "/Event/EventData/Data"
+ Refine: "HostApplication=(.+)"
+ -
+ Property: PayloadData2
+ PropertyValue: "%HostName%"
+ Values:
+ -
+ Name: HostName
+ Value: "/Event/EventData/Data"
+ Refine: "HostName=(.+)"
+ -
+ Property: PayloadData3
+ PropertyValue: "%HostVersion%"
+ Values:
+ -
+ Name: HostVersion
+ Value: "/Event/EventData/Data"
+ Refine: "HostVersion=(.+)"
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+# Example XML for this event:
+#
+#
+#
+# 403
+# 4
+# 4
+# 0x80000000000000
+#
+# 9
+# Windows PowerShell
+# hostname.domain.tld
+#
+#
+#
+# Stopped, Available, NewEngineState=Stopped
+# PreviousEngineState=Available
+#
+# SequenceNumber=15
+#
+# HostName=ConsoleHost
+# HostVersion=5.1.18362.145
+# HostId=b3dfcb89-d2f8-4b8b-a784-a6a9bcf61bd8
+# HostApplication=powershell -command Set-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\Outlook\AutoDiscover -Name 'ExcludeExplicitO365Endpoint' -Value 1 -Type DWORD -Force
+# EngineVersion=5.1.18362.145
+# RunspaceId=edc7b831-61a1-42d5-ba48-cc1759a51d98
+# PipelineId=
+# CommandName=
+# CommandType=
+# ScriptName=
+# CommandPath=
+# CommandLine=
+#
+#
+#
\ No newline at end of file
diff --git a/Windows_Powershell_600.map b/Windows_Powershell_600.map
new file mode 100644
index 00000000..0e9d3b9a
--- /dev/null
+++ b/Windows_Powershell_600.map
@@ -0,0 +1,68 @@
+Author: Brian MacKenna
+Description: Provider is Started.
+EventId: 600
+Channel: Windows PowerShell
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "%HostApplication%"
+ Values:
+ -
+ Name: HostApplication
+ Value: "/Event/EventData/Data"
+ Refine: "HostApplication=(.+)"
+ -
+ Property: PayloadData2
+ PropertyValue: "%HostName%"
+ Values:
+ -
+ Name: HostName
+ Value: "/Event/EventData/Data"
+ Refine: "HostName=(.+)"
+ -
+ Property: PayloadData3
+ PropertyValue: "%HostVersion%"
+ Values:
+ -
+ Name: HostVersion
+ Value: "/Event/EventData/Data"
+ Refine: "HostVersion=(.+)"
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+# Example XML for this event:
+#
+#
+#
+# 600
+# 4
+# 6
+# 0x80000000000000
+#
+# 18
+# Windows PowerShell
+# name.domain.tld
+#
+#
+#
+# Registry, Started, ProviderName=Registry
+# NewProviderState=Started
+#
+# SequenceNumber=1
+#
+# HostName=ConsoleHost
+# HostVersion=5.1.18362.145
+# HostId=b3dfcb89-d2f8-4b8b-a784-a6a9bcf61bd8
+# HostApplication=powershell -command Set-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\Outlook\AutoDiscover -Name 'ExcludeExplicitO365Endpoint' -Value 1 -Type DWORD -Force
+# EngineVersion=
+# RunspaceId=
+# PipelineId=
+# CommandName=
+# CommandType=
+# ScriptName=
+# CommandPath=
+# CommandLine=
+#
+#
\ No newline at end of file