Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New maps #43

Merged
merged 1 commit into from
Dec 5, 2020
Merged

New maps #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions evtx/Maps/Microsoft-Windows-SysMon_Operational_14.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
Author: Andrew Rathbun
Description: RegistryEvent (Key and Value Rename)
EventId: 14
Channel: Microsoft-Windows-Sysmon/Operational
Maps:

-
Property: PayloadData1
PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
Values:
-
Name: ProcessGUID
Value: "/Event/EventData/Data[@Name=\"ProcessGuid\"]"
-
Name: ProcessID
Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
-
Property: PayloadData3
PropertyValue: "Image: %Image%"
Values:
-
Name: Image
Value: "/Event/EventData/Data[@Name=\"Image\"]"
-
Property: PayloadData4
PropertyValue: "EventType: %EventType%"
Values:
-
Name: EventType
Value: "/Event/EventData/Data[@Name=\"EventType\"]"
-
Property: PayloadData5
PropertyValue: "TargetObject: %TargetObject%"
Values:
-
Name: TargetObject
Value: "/Event/EventData/Data[@Name=\"TargetObject\"]"
-
Property: PayloadData6
PropertyValue: "NewName: %NewName%"
Values:
-
Name: NewName
Value: "/Event/EventData/Data[@Name=\"NewName\"]"

# Valid properties include:
# UserName
# RemoteHost
# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
# PayloadData1 through PayloadData6
# Hashes --> SHA1 of the Process that was created. Useful for running through VirusTotal if suspicious.

#<Event>
# <System>
# <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
# <EventID Qualifiers="16384">7045</EventID>
# <Version>0</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8080000000000000</Keywords>
# <TimeCreated SystemTime="2018-05-07 19:24:11.6922354" />
# <EventRecordID>382</EventRecordID>
# <Correlation />
# <Execution ProcessID="620" ThreadID="1196" />
# <Channel>System</Channel>
# <Computer>win10-test</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <EventData>
# <Data Name="ServiceName">vmxnet3 NDIS 6 Ethernet Adapter Driver</Data>
# <Data Name="ImagePath">\SystemRoot\System32\drivers\vmxnet3.sys</Data>
# <Data Name="ServiceType">kernel mode driver</Data>
# <Data Name="StartType">demand start</Data>
# <Data Name="AccountName"></Data>
# </EventData>
#</Event>
#
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon for more information
64 changes: 64 additions & 0 deletions evtx/Maps/Microsoft-Windows-SysMon_Operational_17.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
Author: Andrew Rathbun
Description: PipeEvent (Pipe Created)
EventId: 17
Channel: Microsoft-Windows-Sysmon/Operational
Maps:
-
Property: PayloadData1
PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
Values:
-
Name: ProcessGUID
Value: "/Event/EventData/Data[@Name=\"ProcessGuid\"]"
-
Name: ProcessID
Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
-
Property: PayloadData2
PropertyValue: "PipeName: %PipeName%"
Values:
-
Name: PipeName
Value: "/Event/EventData/Data[@Name=\"PipeName\"]"
-
Property: PayloadData5
PropertyValue: "Image: %Image%"
Values:
-
Name: Image
Value: "/Event/EventData/Data[@Name=\"Image\"]"

# Valid properties include:
# UserName
# RemoteHost
# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
# PayloadData1 through PayloadData6
# Hashes --> SHA1 of the Process that was created. Useful for running through VirusTotal if suspicious.

#<Event>
# <System>
# <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
# <EventID Qualifiers="16384">7045</EventID>
# <Version>0</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8080000000000000</Keywords>
# <TimeCreated SystemTime="2018-05-07 19:24:11.6922354" />
# <EventRecordID>382</EventRecordID>
# <Correlation />
# <Execution ProcessID="620" ThreadID="1196" />
# <Channel>System</Channel>
# <Computer>win10-test</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <EventData>
# <Data Name="ServiceName">vmxnet3 NDIS 6 Ethernet Adapter Driver</Data>
# <Data Name="ImagePath">\SystemRoot\System32\drivers\vmxnet3.sys</Data>
# <Data Name="ServiceType">kernel mode driver</Data>
# <Data Name="StartType">demand start</Data>
# <Data Name="AccountName"></Data>
# </EventData>
#</Event>
#
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon for more information
64 changes: 64 additions & 0 deletions evtx/Maps/Microsoft-Windows-SysMon_Operational_18.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
Author: Andrew Rathbun
Description: PipeEvent (Pipe Connected)
EventId: 18
Channel: Microsoft-Windows-Sysmon/Operational
Maps:
-
Property: PayloadData1
PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
Values:
-
Name: ProcessGUID
Value: "/Event/EventData/Data[@Name=\"ProcessGuid\"]"
-
Name: ProcessID
Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
-
Property: PayloadData2
PropertyValue: "PipeName: %PipeName%"
Values:
-
Name: PipeName
Value: "/Event/EventData/Data[@Name=\"PipeName\"]"
-
Property: PayloadData5
PropertyValue: "Image: %Image%"
Values:
-
Name: Image
Value: "/Event/EventData/Data[@Name=\"Image\"]"

# Valid properties include:
# UserName
# RemoteHost
# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
# PayloadData1 through PayloadData6
# Hashes --> SHA1 of the Process that was created. Useful for running through VirusTotal if suspicious.

#<Event>
# <System>
# <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
# <EventID Qualifiers="16384">7045</EventID>
# <Version>0</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8080000000000000</Keywords>
# <TimeCreated SystemTime="2018-05-07 19:24:11.6922354" />
# <EventRecordID>382</EventRecordID>
# <Correlation />
# <Execution ProcessID="620" ThreadID="1196" />
# <Channel>System</Channel>
# <Computer>win10-test</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <EventData>
# <Data Name="ServiceName">vmxnet3 NDIS 6 Ethernet Adapter Driver</Data>
# <Data Name="ImagePath">\SystemRoot\System32\drivers\vmxnet3.sys</Data>
# <Data Name="ServiceType">kernel mode driver</Data>
# <Data Name="StartType">demand start</Data>
# <Data Name="AccountName"></Data>
# </EventData>
#</Event>
#
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon for more information
66 changes: 66 additions & 0 deletions evtx/Maps/Microsoft-Windows-SysMon_Operational_9.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
Author: Andrew Rathbun
Description: RawAccessRead
EventId: 9
Channel: Microsoft-Windows-Sysmon/Operational
Maps:

-
Property: PayloadData1
PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
Values:
-
Name: ProcessGUID
Value: "/Event/EventData/Data[@Name=\"ProcessGuid\"]"
-
Name: ProcessID
Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
-
Property: PayloadData2
PropertyValue: "Device: %Device%"
Values:
-
Name: Device
Value: "/Event/EventData/Data[@Name=\"Device\"]"
-
Property: PayloadData3
PropertyValue: "Image: %Image%"
Values:
-
Name: Image
Value: "/Event/EventData/Data[@Name=\"Image\"]"


# Valid properties include:
# UserName
# RemoteHost
# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
# PayloadData1 through PayloadData6
# Hashes --> SHA1 of the Process that was created. Useful for running through VirusTotal if suspicious.

#<Event>
# <System>
# <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
# <EventID Qualifiers="16384">7045</EventID>
# <Version>0</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8080000000000000</Keywords>
# <TimeCreated SystemTime="2018-05-07 19:24:11.6922354" />
# <EventRecordID>382</EventRecordID>
# <Correlation />
# <Execution ProcessID="620" ThreadID="1196" />
# <Channel>System</Channel>
# <Computer>win10-test</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <EventData>
# <Data Name="ServiceName">vmxnet3 NDIS 6 Ethernet Adapter Driver</Data>
# <Data Name="ImagePath">\SystemRoot\System32\drivers\vmxnet3.sys</Data>
# <Data Name="ServiceType">kernel mode driver</Data>
# <Data Name="StartType">demand start</Data>
# <Data Name="AccountName"></Data>
# </EventData>
#</Event>
#
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon for more information
88 changes: 88 additions & 0 deletions evtx/Maps/Security_4798.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
Author: Andrew Rathbun
Description: A user's local group membership was enumerated
EventId: 4798
Channel: Security
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user% (%sid%)"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Name: sid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData1
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)"
Values:
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetSid
Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
-
Property: PayloadData2
PropertyValue: "SubjectLogonId: %SubjectLogonId%"
Values:
-
Name: SubjectLogonId
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
-
Property: PayloadData3
PropertyValue: "CallerProcessName: %CallerProcessName%"
Values:
-
Name: CallerProcessName
Value: "/Event/EventData/Data[@Name=\"CallerProcessName\"]"
-
Property: PayloadData4
PropertyValue: "CallerProcessId: %CallerProcessId%"
Values:
-
Name: CallerProcessId
Value: "/Event/EventData/Data[@Name=\"CallerProcessId\"]"

# Valid properties include:
# UserName
# RemoteHost
# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
# PayloadData1 through PayloadData6

# Example payload data
# <EventData>
# <Data Name="TargetUserName">defaultuser1</Data>
# <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
# <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
# <Data Name="SubjectUserSid">S-1-5-18</Data>
# <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
# <Data Name="SubjectDomainName">TEMP</Data>
# <Data Name="SubjectLogonId">0x3E7</Data>
# <Data Name="PrivilegeList">-</Data>
# <Data Name="SamAccountName">defaultuser1</Data>
# <Data Name="DisplayName">%%1793</Data>
# <Data Name="UserPrincipalName">-</Data>
# <Data Name="HomeDirectory">%%1793</Data>
# <Data Name="HomePath">%%1793</Data>
# <Data Name="ScriptPath">%%1793</Data>
# <Data Name="ProfilePath">%%1793</Data>
# <Data Name="UserWorkstations">%%1793</Data>
# <Data Name="PasswordLastSet">%%1794</Data>
# <Data Name="AccountExpires">%%1794</Data>
# <Data Name="PrimaryGroupId">513</Data>
# <Data Name="AllowedToDelegateTo">-</Data>
# <Data Name="OldUacValue">0x0</Data>
# <Data Name="NewUacValue">0x15</Data>
# <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
# <Data Name="UserParameters">%%1793</Data>
# <Data Name="SidHistory">-</Data>
# <Data Name="LogonHours">%%1797</Data>
# </EventData>
Loading