EricZimmerman · AndrewRathbun · Jan 3, 2021 · Jan 2, 2021 · Jan 3, 2021 · Jan 3, 2021
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4706.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4706.map
@@ -0,0 +1,100 @@
+Author: Andrew Rathbun
+Description: A new trust was created to a domain
+EventId: 4706
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "DomainName: %DomainName% (%DomainSid%)"
+    Values: 
+      - 
+        Name: DomainSid
+        Value: "/Event/EventData/Data[@Name=\"DomainSid\"]"
+      - 
+        Name: DomainName
+        Value: "/Event/EventData/Data[@Name=\"DomainName\"]"      
+  - 
+    Property: PayloadData2
+    PropertyValue: "SidFilteringEnabled: %SidFilteringEnabled%"
+    Values: 
+      - 
+        Name: SidFilteringEnabled
+        Value: "/Event/EventData/Data[@Name=\"SidFilteringEnabled\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "LogonId: %SubjectLogonId%"
+    Values: 
+      - 
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+  - 
+    Property: PayloadData4
+    PropertyValue: "TdoType: %TdoType%"
+    Values: 
+      - 
+        Name: TdoType
+        Value: "/Event/EventData/Data[@Name=\"TdoType\"]"
+  - 
+    Property: PayloadData5
+    PropertyValue: "TdoDirection: %TdoDirection%"
+    Values: 
+      - 
+        Name: TdoDirection
+        Value: "/Event/EventData/Data[@Name=\"TdoDirection\"]"
+  - 
+    Property: PayloadData6
+    PropertyValue: "TdoAttributes: %TdoAttributes%"
+    Values: 
+      - 
+        Name: TdoAttributes
+        Value: "/Event/EventData/Data[@Name=\"TdoAttributes\"]"
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+#<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+#<EventID>4706</EventID> 
+#<Version>0</Version> 
+#<Level>0</Level> 
+#<Task>13569</Task> 
+#<Opcode>0</Opcode> 
+#<Keywords>0x8020000000000000</Keywords> 
+#<TimeCreated SystemTime="2015-10-01T20:41:13.189445500Z" /> 
+#<EventRecordID>1049759</EventRecordID> 
+#<Correlation /> 
+#<Execution ProcessID="500" ThreadID="4900" /> 
+#<Channel>Security</Channel> 
+#<Computer>DC01.contoso.local</Computer> 
+#<Security /> 
+#</System>
+# <EventData>
+#<Data Name="DomainName">corp.contoso.local</Data> 
+#<Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data> 
+#<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+#<Data Name="SubjectUserName">dadmin</Data> 
+#<Data Name="SubjectDomainName">CONTOSO</Data> 
+#<Data Name="SubjectLogonId">0x3e99d6</Data> 
+#<Data Name="TdoType">2</Data> 
+#<Data Name="TdoDirection">3</Data> 
+#<Data Name="TdoAttributes">32</Data> 
+#<Data Name="SidFilteringEnabled">%%1796</Data> 
+#</EventData>
+#</Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4707.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4707.map
@@ -0,0 +1,61 @@
+Author: Andrew Rathbun
+Description: A trust to a domain was removed
+EventId: 4707
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "DomainName: %DomainName% (%DomainSid%)"
+    Values: 
+      - 
+        Name: DomainSid
+        Value: "/Event/EventData/Data[@Name=\"DomainSid\"]"
+      - 
+        Name: DomainName
+        Value: "/Event/EventData/Data[@Name=\"DomainName\"]"      
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4707
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+#<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+#<EventID>4707</EventID> 
+#<Version>0</Version> 
+#<Level>0</Level> 
+#<Task>13569</Task> 
+#<Opcode>0</Opcode> 
+#<Keywords>0x8020000000000000</Keywords> 
+#<TimeCreated SystemTime="2015-10-01T20:41:13.080444700Z" /> 
+#<EventRecordID>1049754</EventRecordID> 
+#<Correlation /> 
+#<Execution ProcessID="500" ThreadID="580" /> 
+#<Channel>Security</Channel> 
+#<Computer>DC01.contoso.local</Computer> 
+#<Security /> 
+#</System>
+# <EventData>
+#<Data Name="DomainName">FABRIKAM</Data> 
+#<Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data> 
+#<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+#<Data Name="SubjectUserName">dadmin</Data> 
+#<Data Name="SubjectDomainName">CONTOSO</Data> 
+#<Data Name="SubjectLogonId">0x3e99d6</Data> 
+#</EventData>
+#</Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4713.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4713.map
@@ -0,0 +1,60 @@
+Author: Andrew Rathbun
+Description: Kerberos policy was changed
+EventId: 4713
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user%"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/UserData/LogFileCleared/SubjectDomainName"
+      - 
+        Name: user
+        Value: "/Event/UserData/LogFileCleared/SubjectUserName"
+  - 
+    Property: PayloadData1
+    PropertyValue: "SID: (%SubjectUserSid%)"
+    Values: 
+      - 
+        Name: SubjectUserSid
+        Value: "/Event/UserData/LogFileCleared/SubjectUserSid"
+  - 
+    Property: PayloadData2
+    PropertyValue: "KerberosPolicyChange: (%KerberosPolicyChange%)"
+    Values: 
+      - 
+        Name: KerberosPolicyChange
+        Value: "/Event/UserData/LogFileCleared/KerberosPolicyChange"
+
+# Documentation:
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4713
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4713
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+#<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+#<EventID>4713</EventID> 
+#<Version>0</Version> 
+#<Level>0</Level> 
+#<Task>13569</Task> 
+#<Opcode>0</Opcode> 
+#<Keywords>0x8020000000000000</Keywords> 
+#<TimeCreated SystemTime="2015-10-01T23:15:50.811774300Z" /> 
+#<EventRecordID>1049772</EventRecordID> 
+#<Correlation /> 
+#<Execution ProcessID="500" ThreadID="4116" /> 
+#<Channel>Security</Channel> 
+#<Computer>DC01.contoso.local</Computer> 
+#<Security /> 
+#</System>
+# <EventData>
+#<Data Name="SubjectUserSid">S-1-5-18</Data> 
+#<Data Name="SubjectUserName">DC01$</Data> 
+#<Data Name="SubjectDomainName">CONTOSO</Data> 
+#<Data Name="SubjectLogonId">0x3e7</Data> 
+#<Data Name="KerberosPolicyChange">KerMaxT: 0x10c388d000 (0x861c46800); KerMaxR: 0x19254d38000 (0xc92a69c000);</Data> 
+#</EventData>
+#</Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4716.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4716.map
@@ -0,0 +1,100 @@
+Author: Andrew Rathbun
+Description: Trusted domain information was modified0
+EventId: 4716
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "DomainName: %DomainName% (%DomainSid%)"
+    Values: 
+      - 
+        Name: DomainSid
+        Value: "/Event/EventData/Data[@Name=\"DomainSid\"]"
+      - 
+        Name: DomainName
+        Value: "/Event/EventData/Data[@Name=\"DomainName\"]"      
+  - 
+    Property: PayloadData2
+    PropertyValue: "SidFilteringEnabled: %SidFilteringEnabled%"
+    Values: 
+      - 
+        Name: SidFilteringEnabled
+        Value: "/Event/EventData/Data[@Name=\"SidFilteringEnabled\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "LogonId: %SubjectLogonId%"
+    Values: 
+      - 
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+  - 
+    Property: PayloadData4
+    PropertyValue: "TdoType: %TdoType%"
+    Values: 
+      - 
+        Name: TdoType
+        Value: "/Event/EventData/Data[@Name=\"TdoType\"]"
+  - 
+    Property: PayloadData5
+    PropertyValue: "TdoDirection: %TdoDirection%"
+    Values: 
+      - 
+        Name: TdoDirection
+        Value: "/Event/EventData/Data[@Name=\"TdoDirection\"]"
+  - 
+    Property: PayloadData6
+    PropertyValue: "TdoAttributes: %TdoAttributes%"
+    Values: 
+      - 
+        Name: TdoAttributes
+        Value: "/Event/EventData/Data[@Name=\"TdoAttributes\"]"
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4716
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716
+#
+# Example Event Data:
+#  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#  <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4716</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13569</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-10-01T22:55:54.560735500Z" /> 
+# <EventRecordID>1049763</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="500" ThreadID="4920" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+#  <EventData>
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x138eb0</Data> 
+# <Data Name="DomainName">-</Data> 
+# <Data Name="DomainSid">S-1-5-21-2226861337-2836268956-2433141405</Data> 
+# <Data Name="TdoType">2</Data> 
+# <Data Name="TdoDirection">3</Data> 
+# <Data Name="TdoAttributes">32</Data> 
+# <Data Name="SidFilteringEnabled">-</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4717.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4717.map
@@ -17,16 +17,6 @@ Maps:
       - 
         Name: sid
         Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-  - 
-    Property: ExecutableInfo
-    PropertyValue: "%ProcessName% (PID: %ProcessId%)"
-    Values: 
-      - 
-        Name: ProcessName
-        Value: "/Event/EventData/Data[@Name=\"ProcessName\"]"
-      - 
-        Name: ProcessId
-        Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"      
   - 
     Property: PayloadData1
     PropertyValue: "TargetSID: %sid%"