Add maps, update existing

evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map

@@ -1,35 +1,51 @@
 Author: Mark Hallman mark.hallman@gmail.com
-Description: Potential artifacts for Bitsadminexec
+Description: BITS transfer has started
 EventId: 59
 Channel: Microsoft-Windows-Bits-Client/Operational
 Provider: Microsoft-Windows-Bits-Client
 Maps:
    -
-    Property: PayloadData2
-    PropertyValue: url "%url%"
+    Property: PayloadData1
+    PropertyValue: "URL: %url%"
     Values: 
       - 
         Name: url
         Value: "/Event/EventData/Data[@Name=\"url\"]"
    -
-    Property: PayloadData3
-    PropertyValue: peer "%peer%"
+    Property: PayloadData2
+    PropertyValue: "Peer: %peer%"
     Values: 
       - 
         Name: peer
         Value: "/Event/EventData/Data[@Name=\"peer\"]"     
+   -
+    Property: PayloadData3
+    PropertyValue: "Total Bytes: %bytesTotal%"
+    Values: 
+      - 
+        Name: bytesTotal
+        Value: "/Event/EventData/Data[@Name=\"bytesTotal\"]" 
    -
     Property: PayloadData4
-    PropertyValue: fileLength "%fileLength%"
+    PropertyValue: "Bytes Transferred: %bytesTransferred%"
+    Values: 
+      - 
+        Name: bytesTransferred
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]" 
+   -
+    Property: PayloadData5
+    PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
     Values: 
       - 
-        Name: fileLength
-        Value: "/Event/EventData/Data[@Name=\"fileLength\"]" 
-
+        Name: bytesTransferredFromPeer
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferredFromPeer\"]" 
+                                                                    
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtPages/EventId_59_Microsoft-Windows-Bits-Client_64109.asp
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734713(v=ws.10)
 #
 # Example Event Data:
 #<Event>

evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map

@@ -0,0 +1,87 @@
+Author: Andrew Rathbun
+Description: BITS transfer has stopped
+EventId: 60
+Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
+Maps:
+   -
+    Property: PayloadData1
+    PropertyValue: "URL: %url%"
+    Values: 
+      - 
+        Name: url
+        Value: "/Event/EventData/Data[@Name=\"url\"]"
+   -
+    Property: PayloadData2
+    PropertyValue: "Peer: %peer%"
+    Values: 
+      - 
+        Name: peer
+        Value: "/Event/EventData/Data[@Name=\"peer\"]"     
+   -
+    Property: PayloadData3
+    PropertyValue: "Total Bytes: %bytesTotal%"
+    Values: 
+      - 
+        Name: bytesTotal
+        Value: "/Event/EventData/Data[@Name=\"bytesTotal\"]" 
+   -
+    Property: PayloadData4
+    PropertyValue: "Bytes Transferred: %bytesTransferred%"
+    Values: 
+      - 
+        Name: bytesTransferred
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]" 
+   -
+    Property: PayloadData5
+    PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
+    Values: 
+      - 
+        Name: bytesTransferredFromPeer
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferredFromPeer\"]" 
+
+# Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_60_Microsoft-Windows-Bits-Client_64110.asp
+# https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734635(v=ws.10)
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1ab15b-46c1-414e-bb95-e76b077bd51e" />
+#    <EventID>60</EventID>
+#    <Version>1</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>2</Opcode>
+#    <Keywords>0x4000000800000000</Keywords>
+#    <TimeCreated SystemTime="2020-11-30 17:31:11.2022221" />
+#    <EventRecordID>1532</EventRecordID>
+#    <Correlation ActivityID="76099896-f8ef-40f3-853b-9d3725e4b2f7" />
+#    <Execution ProcessID="7788" ThreadID="16396" />
+#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#    <Computer>HOSTNAME</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="transferId">76052606-f8ef-40f3-853b-9d3725e4b2f7</Data>
+#    <Data Name="name">UpdateXml</Data>
+#    <Data Name="Id">f4ecc13b-4421-48a3-8766-4b987a0e5995</Data>
+#    <Data Name="url">https://g.live.com/123rewlive5skydrive/OneDriveProduction?OneDriveUpdate=f37fd774d9b58ea48d76eacfee1e</Data>
+#    <Data Name="peer"></Data>
+#    <Data Name="hr">0</Data>
+#    <Data Name="fileTime">2020-11-23 20:04:21.0000000</Data>
+#    <Data Name="fileLength">993</Data>
+#    <Data Name="bytesTotal">993</Data>
+#    <Data Name="bytesTransferred">993</Data>
+#    <Data Name="proxy"></Data>
+#    <Data Name="peerProtocolFlags">0</Data>
+#    <Data Name="bytesTransferredFromPeer">0</Data>
+#    <Data Name="AdditionalInfoHr">0</Data>
+#    <Data Name="PeerContextInfo">0</Data>
+#    <Data Name="bandwidthLimit">18446749973709551615</Data>
+#    <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
+#  </EventData>
+#</Event>

evtx/Maps/System_EventLog_6005.map

@@ -17,6 +17,7 @@ Maps:
 # https://www.manageengine.com/products/active-directory-audit/kb/system-events/event-id-6005.html
 # https://www.howtogeek.com/277688/how-do-you-find-out-if-windows-was-running-at-a-given-time/
 # https://community.spiceworks.com/topic/237386-event-log-time-when-computer-start-up-boot-up
+# https://superuser.com/questions/767143/find-out-why-pc-just-restarted-for-no-reason
 #
 # Example Event Data:
 #<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

evtx/Maps/System_EventLog_6006.map

@@ -17,6 +17,7 @@ Maps:
 # https://www.manageengine.com/products/active-directory-audit/kb/system-events/event-id-6006.html
 # https://www.howtogeek.com/277688/how-do-you-find-out-if-windows-was-running-at-a-given-time/
 # https://community.spiceworks.com/topic/237386-event-log-time-when-computer-start-up-boot-up
+# https://superuser.com/questions/767143/find-out-why-pc-just-restarted-for-no-reason
 #
 # Example Event Data:
 #<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

evtx/Maps/System_Microsoft-Windows-Winlogon_7001.map

@@ -0,0 +1,42 @@
+Author: Andrew Rathbun
+Description: User logon
+EventId: 7001
+Channel: System
+Provider: Microsoft-Windows-Winlogon
+Maps: 
+  - 
+    Property: PayloadData1 
+    PropertyValue: "UserSID: %UserSid%"
+    Values: 
+      - 
+        Name: UserSid
+        Value: "/Event/EventData/Data[@Name=\"UserSid\"]"
+
+# Documentation:
+# https://superuser.com/questions/726967/how-can-i-know-if-someone-has-logged-into-my-account-in-windows-7
+# https://community.spiceworks.com/topic/2131335-ps-script-for-user-logon-activity-7001-7002-and-4800-4001-need-help
+# https://superuser.com/questions/767143/find-out-why-pc-just-restarted-for-no-reason?newreg=e76b115fee3b486fb76788c3b4906677
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Winlogon" Guid="dbe9b456-7cf3-4331-91cc-a3cb1234b538" />
+#    <EventID>7001</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>1901</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x2000200000900000</Keywords>
+#    <TimeCreated SystemTime="2020-06-10 05:23:32.9946381" />
+#    <EventRecordID>62316</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="16788" ThreadID="1896" />
+#    <Channel>System</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="TSId">6</Data>
+#    <Data Name="UserSid">S-1-5-21-795675957-65754735-9675674874-7637643</Data>
+#  </EventData>
+#</Event>

evtx/Maps/System_Microsoft-Windows-Winlogon_7002.map

@@ -0,0 +1,42 @@
+Author: Andrew Rathbun
+Description: User logoff
+EventId: 7002
+Channel: System
+Provider: Microsoft-Windows-Winlogon
+Maps: 
+  - 
+    Property: PayloadData1 
+    PropertyValue: "UserSID: %UserSid%"
+    Values: 
+      - 
+        Name: UserSid
+        Value: "/Event/EventData/Data[@Name=\"UserSid\"]"
+
+# Documentation:
+# https://superuser.com/questions/726967/how-can-i-know-if-someone-has-logged-into-my-account-in-windows-7
+# https://community.spiceworks.com/topic/2131335-ps-script-for-user-logon-activity-7001-7002-and-4800-4001-need-help
+# https://superuser.com/questions/767143/find-out-why-pc-just-restarted-for-no-reason?newreg=e76b115fee3b486fb76788c3b4906677
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Winlogon" Guid="dbe9b456-7cf3-4331-91cc-a3cb1234b538" />
+#    <EventID>7002</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>1901</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x2000200000900000</Keywords>
+#    <TimeCreated SystemTime="2020-06-10 05:23:32.9946381" />
+#    <EventRecordID>62316</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="16788" ThreadID="1896" />
+#    <Channel>System</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="TSId">6</Data>
+#    <Data Name="UserSid">S-1-5-21-795675957-65754735-9675674874-7637643</Data>
+#  </EventData>
+#</Event>

evtx/Maps/System_User32_1074.map

@@ -0,0 +1,80 @@
+Author: Andrew Rathbun
+Description: A user initiated a system restart 
+EventId: 1074
+Channel: System
+Provider: User32
+Maps: 
+  - 
+    Property: UserName 
+    PropertyValue: "%user%"
+    Values: 
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"param7\"]"
+  - 
+    Property: ExecutableInfo 
+    PropertyValue: "%ProcessName%"
+    Values: 
+      - 
+        Name: ProcessName
+        Value: "/Event/EventData/Data[@Name=\"param1\"]"
+  - 
+    Property: PayloadData1 
+    PropertyValue: "Hostname: %Hostname%"
+    Values: 
+      - 
+        Name: Hostname
+        Value: "/Event/EventData/Data[@Name=\"param2\"]"
+  - 
+    Property: PayloadData2 
+    PropertyValue: "Reason: %Reason%"
+    Values: 
+      - 
+        Name: Reason
+        Value: "/Event/EventData/Data[@Name=\"param3\"]"
+  - 
+    Property: PayloadData3 
+    PropertyValue: "Type: %Type%"
+    Values: 
+      - 
+        Name: Type
+        Value: "/Event/EventData/Data[@Name=\"param5\"]"
+  - 
+    Property: PayloadData4 
+    PropertyValue: "Code: %Code%"
+    Values: 
+      - 
+        Name: Code
+        Value: "/Event/EventData/Data[@Name=\"param4\"]"
+
+# Documentation:
+# https://superuser.com/questions/767143/find-out-why-pc-just-restarted-for-no-reason
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="User32" Guid="{b0aa8734-56f7-41cc-b2f4-de628e98b946}" EventSourceName="User32" />
+#    <EventID Qualifiers="32768">1074</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8080000090000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-24 15:22:54.3699307" />
+#    <EventRecordID>332</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="676" ThreadID="3576" />
+#    <Channel>System</Channel>
+#    <Computer>HOSTNAME</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="param1">C:\WINDOWS\system32\winlogon.exe (ANDREW-PERSONAL)</Data>
+#    <Data Name="param2">HOSTNAME</Data>
+#    <Data Name="param3">Operating System: Upgrade (Planned)</Data>
+#    <Data Name="param4">0x80020003</Data>
+#    <Data Name="param5">restart</Data>
+#    <Data Name="param6"></Data>
+#    <Data Name="param7">NT AUTHORITY\SYSTEM</Data>
+#  </EventData>
+#</Event>