From 28804bb170085605a6e84c0637e587c4279b9f4f Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 12:44:49 -0500
Subject: [PATCH 01/11] Update
Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map
---
...icrosoft-Windows-TerminalServices-LocalSessionManager_40.map | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map
index 1e807d85..66210521 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map
@@ -24,7 +24,7 @@ Lookups:
Default: Unknown code
Values:
0: No additional information is available (i.e. the user has closed RDP window)
- 5: The client’s connection was replaced by another connection (i.e. a user reconected to a previous RDP session)
+ 5: The client’s connection was replaced by another connection (i.e. a user reconnected to a previous RDP session)
11: User activity has initiated the disconnect
# Documentation:
From c0bf3b6d35823089e01e7045a6e5487827f4e380 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 13:38:43 -0500
Subject: [PATCH 02/11] Create
Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
---
...Operational_Microsoft-Windows-Ntfs_145.map | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
diff --git a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
new file mode 100644
index 00000000..cdd6e316
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
@@ -0,0 +1,78 @@
+Author: Andrew Rathbun
+Description: NTFS-formatted drive attached
+EventId: 145
+Channel: "Microsoft-Windows-Ntfs/Operational"
+Provider: "Microsoft-Windows-Ntfs"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "VolumeName: %VolumeName%"
+ Values:
+ -
+ Name: VolumeName
+ Value: "/Event/EventData/Data[@Name=\"VolumeName\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "IsBootVolume: %IsBootVolume%"
+ Values:
+ -
+ Name: IsBootVolume
+ Value: "/Event/EventData/Data[@Name=\"IsBootVolume\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "VolumeCorrelationId: %VolumeCorrelationId%"
+ Values:
+ -
+ Name: VolumeCorrelationId
+ Value: "/Event/EventData/Data[@Name=\"VolumeCorrelationId\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+#
+#
+#
+# 145
+# 2
+# 4
+# 0
+# 0
+# 0x4000000000204000
+#
+# 4419
+#
+#
+# Microsoft-Windows-Ntfs/Operational
+# HOSTNAME.domain.com
+#
+#
+#
+# c679d0d4-1476-11eb-bad3-34f39ae13aac
+# 0
+#
+# False
+# 30000
+# 5000000
+# 30000000
+# 100000000
+# 0
+# 0
+# 0
+# 0
+# 10000000
+# 50000000
+# 100000000
+# 0
+# 0
+# 0
+# 0
+# 10000000
+# 50000000
+# 100000000
+# 0
+# 0
+# 0
+# 0
+#
+#
From 9aaf4db24da492f1e0a36b7bb0ff48277eb0c364 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 13:38:46 -0500
Subject: [PATCH 03/11] Create
Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
---
...Operational_Microsoft-Windows-Ntfs_142.map | 66 +++++++++++++++++++
1 file changed, 66 insertions(+)
create mode 100644 evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
diff --git a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
new file mode 100644
index 00000000..41196e6b
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
@@ -0,0 +1,66 @@
+Author: Andrew Rathbun
+Description: NTFS-formatted drive attached
+EventId: 142
+Channel: "Microsoft-Windows-Ntfs/Operational"
+Provider: "Microsoft-Windows-Ntfs"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "VolumeName: %VolumeName%"
+ Values:
+ -
+ Name: VolumeName
+ Value: "/Event/EventData/Data[@Name=\"VolumeName\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "IsBootVolume: %IsBootVolume%"
+ Values:
+ -
+ Name: IsBootVolume
+ Value: "/Event/EventData/Data[@Name=\"IsBootVolume\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "LowestFreeSpaceInBytes: %LowestFreeSpaceInBytes%"
+ Values:
+ -
+ Name: LowestFreeSpaceInBytes
+ Value: "/Event/EventData/Data[@Name=\"LowestFreeSpaceInBytes\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "HighestFreeSpaceInBytes: %HighestFreeSpaceInBytes%"
+ Values:
+ -
+ Name: HighestFreeSpaceInBytes
+ Value: "/Event/EventData/Data[@Name=\"HighestFreeSpaceInBytes\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# Free space and volume name of the attached drive can be derived from this event.
+#
+# Example Event Data:
+#
+#
+#
+# 142
+# 0
+# 4
+# 0
+# 0
+# 0x4000000000200900
+#
+# 385
+#
+#
+# Microsoft-Windows-Ntfs/Operational
+# HOSTNAME.domain.com
+#
+#
+#
+# 6f349c04-b41a-4cb0-91bb-8c7742123937
+# 48
+# \\?\Volume{6f349c04-b41a-4cb0-91bb-8c7742123937}
+# 132669440
+# 132669440
+# False
+#
+#
From 6a03a24f1d4a672389da350395b95d3157182f06 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 13:44:18 -0500
Subject: [PATCH 04/11] Update
Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
---
...oft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map | 3 +++
1 file changed, 3 insertions(+)
diff --git a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
index 41196e6b..352ea6d3 100644
--- a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
+++ b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
@@ -36,6 +36,9 @@ Maps:
# Documentation:
# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
# Free space and volume name of the attached drive can be derived from this event.
+# Events are created during the first connection since the startup.
+# So if the user removes the drive and attaches it again no new logs are going to be made according to my investigation.
+
#
# Example Event Data:
#
From c8e5740750343eab8cad95b7af9119cc9f4a51bd Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 13:44:23 -0500
Subject: [PATCH 05/11] Update
Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
---
...soft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map | 2 ++
1 file changed, 2 insertions(+)
diff --git a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
index cdd6e316..6b52a64c 100644
--- a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
+++ b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map
@@ -28,6 +28,8 @@ Maps:
# Documentation:
# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# Events are created during the first connection since the startup.
+# So if the user removes the drive and attaches it again no new logs are going to be made according to my investigation.
#
# Example Event Data:
#
From fab809e954b835368aff68612fe77e5488a95335 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 14:27:45 -0500
Subject: [PATCH 06/11] Create System_Microsoft-Windows-UserPnp_20001.map
---
...System_Microsoft-Windows-UserPnp_20001.map | 109 ++++++++++++++++++
1 file changed, 109 insertions(+)
create mode 100644 evtx/Maps/System_Microsoft-Windows-UserPnp_20001.map
diff --git a/evtx/Maps/System_Microsoft-Windows-UserPnp_20001.map b/evtx/Maps/System_Microsoft-Windows-UserPnp_20001.map
new file mode 100644
index 00000000..e19f86f7
--- /dev/null
+++ b/evtx/Maps/System_Microsoft-Windows-UserPnp_20001.map
@@ -0,0 +1,109 @@
+Author: Andrew Rathbun
+Description: Device installation
+EventId: 20001
+Channel: System
+Provider: "Microsoft-Windows-UserPnp"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "DriverDescription: %DriverDescription%"
+ Values:
+ -
+ Name: DriverDescription
+ Value: "/Event/UserData/InstallDeviceID/DriverDescription"
+ -
+ Property: PayloadData2
+ PropertyValue: "InstallStatus: %InstallStatus%"
+ Values:
+ -
+ Name: InstallStatus
+ Value: "/Event/UserData/InstallDeviceID/InstallStatus"
+ -
+ Property: PayloadData3
+ PropertyValue: "IsDriverOEM: %IsDriverOEM%"
+ Values:
+ -
+ Name: IsDriverOEM
+ Value: "/Event/UserData/InstallDeviceID/IsDriverOEM"
+ -
+ Property: PayloadData4
+ PropertyValue: "UpgradeDevice: %UpgradeDevice%"
+ Values:
+ -
+ Name: UpgradeDevice
+ Value: "/Event/UserData/InstallDeviceID/UpgradeDevice"
+ -
+ Property: PayloadData5
+ PropertyValue: "RebootOption: %RebootOption%"
+ Values:
+ -
+ Name: RebootOption
+ Value: "/Event/UserData/InstallDeviceID/RebootOption"
+ -
+ Property: PayloadData6
+ PropertyValue: "DeviceInstanceID: %DeviceInstanceID%"
+ Values:
+ -
+ Name: DeviceInstanceID
+ Value: "/Event/UserData/InstallDeviceID/DeviceInstanceID"
+ -
+ Property: ExecutableInfo
+ PropertyValue: "%DriverName%"
+ Values:
+ -
+ Name: DriverName
+ Value: "/Event/UserData/InstallDeviceID/DriverName"
+
+Lookups:
+ -
+ Name: InstallStatus
+ Default: Unknown code
+ Values:
+ 0x0: Installation Successful
+ 0x00000002: File Not Found
+ 0x80070002: File Not Found
+ 0x80070003: Path Not Found
+ 0x80070005: Access Denied
+ 0x800F0233: Invalid Target
+ 0x8028006E: Invalid Source Path
+ 0x000005B3: Requires Interactive Workstation
+ 0x000005B4: Timeout
+ 0xE0000234: Driver Non-native
+ 0xE0000246: Device Installer Not Ready
+
+# Documentation:
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc756336(v=ws.10)?redirectedfrom=MSDN
+#
+# Example Event Data:
+#
+#
+#
+# 20001
+# 0
+# 4
+# 7005
+# 0
+# 0x8000000500000000
+#
+# 80566
+#
+#
+# System
+# HOSTNAME.domain.com
+#
+#
+#
+#
+# intcdaud.inf_amd64_46799624fe0dfa08\intcdaud.inf
+# 6.16.0.3208
+# Intel(R) Corporation
+# HDAUDIO\FUNC_01&VEN_8086&DEV_2807&SUBSYS_80860101&REV_1000\4&2BFF37FD&1&0001
+# 4d13e96c-e325-11ce-bfc1-08002be10318
+# False
+# True
+# True
+# 0x0
+# Intel(R) Display Audio
+#
+#
+#
From 10cfee3c6f64ffde377f60d1be11f6e0a27afdc2 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 14:51:54 -0500
Subject: [PATCH 07/11] Create System_Microsoft-Windows-UserPnp_20003.map
---
...System_Microsoft-Windows-UserPnp_20003.map | 100 ++++++++++++++++++
1 file changed, 100 insertions(+)
create mode 100644 evtx/Maps/System_Microsoft-Windows-UserPnp_20003.map
diff --git a/evtx/Maps/System_Microsoft-Windows-UserPnp_20003.map b/evtx/Maps/System_Microsoft-Windows-UserPnp_20003.map
new file mode 100644
index 00000000..d2678271
--- /dev/null
+++ b/evtx/Maps/System_Microsoft-Windows-UserPnp_20003.map
@@ -0,0 +1,100 @@
+Author: Andrew Rathbun
+Description: Service installation
+EventId: 20003
+Channel: System
+Provider: "Microsoft-Windows-UserPnp"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "ServiceName: %ServiceName%"
+ Values:
+ -
+ Name: ServiceName
+ Value: "/Event/UserData/AddServiceID/ServiceName"
+ -
+ Property: PayloadData2
+ PropertyValue: "AddServiceStatus: %AddServiceStatus%"
+ Values:
+ -
+ Name: AddServiceStatus
+ Value: "/Event/UserData/AddServiceID/AddServiceStatus"
+ -
+ Property: PayloadData4
+ PropertyValue: "UpdateService: %UpdateService%"
+ Values:
+ -
+ Name: UpdateService
+ Value: "/Event/UserData/AddServiceID/UpdateService"
+ -
+ Property: PayloadData5
+ PropertyValue: "PrimaryService: %PrimaryService%"
+ Values:
+ -
+ Name: PrimaryService
+ Value: "/Event/UserData/AddServiceID/PrimaryService"
+ -
+ Property: PayloadData6
+ PropertyValue: "DeviceInstanceID: %DeviceInstanceID%"
+ Values:
+ -
+ Name: DeviceInstanceID
+ Value: "/Event/UserData/AddServiceID/DeviceInstanceID"
+ -
+ Property: ExecutableInfo
+ PropertyValue: "%DriverFileName%"
+ Values:
+ -
+ Name: DriverFileName
+ Value: "/Event/UserData/AddServiceID/DriverFileName"
+
+Lookups:
+ -
+ Name: AddServiceStatus
+ Default: Unknown code
+ Values:
+ 0x0: Installation Successful
+ 0x00000002: File Not Found
+ 0x80070002: File Not Found
+ 0x80070003: Path Not Found
+ 0x80070005: Access Denied
+ 0x800F0233: Invalid Target
+ 0x8028006E: Invalid Source Path
+ 0x000005B3: Requires Interactive Workstation
+ 0x000005B4: Timeout
+ 0xE0000234: Driver Non-native
+ 0xE0000246: Device Installer Not Ready
+ 0xE0000217: Driver Non-native
+ 0xE0000219: Device Installer Not Ready
+
+# Documentation:
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349407(v=ws.10)
+#
+# Example Event Data:
+#
+#
+#
+# 20003
+# 0
+# 4
+# 7005
+# 0
+# 0x8000000500000000
+#
+# 80566
+#
+#
+# System
+# HOSTNAME.domain.com
+#
+#
+#
+#
+# usbaudio
+# \SystemRoot\system32\drivers\usbaudio.sys
+# USB\VID_0B0E&PID_245E&MI_00\6&549A665&0&0000
+# True
+# True
+# 0
+#
+#
+#
From 2029267da12a1b7ea15600926a658dd8823e9e3f Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 15:56:01 -0500
Subject: [PATCH 08/11] Create
Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_430.map
---
...ation_Microsoft-Windows-Kernel-PnP_430.map | 39 +++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_430.map
diff --git a/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_430.map b/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_430.map
new file mode 100644
index 00000000..4b60fc81
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_430.map
@@ -0,0 +1,39 @@
+Author: Andrew Rathbun
+Description: Device requires further installation
+EventId: 430
+Channel: "Microsoft-Windows-Kernel-PnP/Configuration"
+Provider: "Microsoft-Windows-Kernel-PnP"
+Maps:
+-
+ Property: PayloadData6
+ PropertyValue: "DeviceInstanceId: %DeviceInstanceId%"
+ Values:
+ -
+ Name: DeviceInstanceId
+ Value: "/Event/EventData/Data[@Name=\"DeviceInstanceId\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+#
+#
+#
+# 430
+# 0
+# 4
+# 0
+# 0
+# 0x4000000090000000
+#
+# 3314
+#
+#
+# Microsoft-Windows-Kernel-PnP/Configuration
+# HOSTNAME.domain.com
+#
+#
+#
+# SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_iDRAC&Prod_MAS001&Rev_0329#20120731&0#{53g76307-b6bf-11d0-94f2-00a0c13dfb8b}
+#
+#
From af50975bdd5eb0543703f6f11548bb85e0b1eef1 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 15:56:05 -0500
Subject: [PATCH 09/11] Create
Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_410.map
---
...ation_Microsoft-Windows-Kernel-PnP_410.map | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_410.map
diff --git a/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_410.map b/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_410.map
new file mode 100644
index 00000000..4c223b1e
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_410.map
@@ -0,0 +1,75 @@
+Author: Andrew Rathbun
+Description: Device driver error
+EventId: 410
+Channel: "Microsoft-Windows-Kernel-PnP/Configuration"
+Provider: "Microsoft-Windows-Kernel-PnP"
+Maps:
+-
+ Property: PayloadData1
+ PropertyValue: "ServiceName: %ServiceName%"
+ Values:
+ -
+ Name: ServiceName
+ Value: "/Event/EventData/Data[@Name=\"ServiceName\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "Problem: %Problem%"
+ Values:
+ -
+ Name: Problem
+ Value: "/Event/EventData/Data[@Name=\"Problem\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "Status: %Status%"
+ Values:
+ -
+ Name: Status
+ Value: "/Event/EventData/Data[@Name=\"Status\"]"
+ -
+ Property: PayloadData6
+ PropertyValue: "DeviceInstanceID: %DeviceInstanceID%"
+ Values:
+ -
+ Name: DeviceInstanceID
+ Value: "/Event/EventData/Data[@Name=\"DeviceInstanceID\"]"
+ -
+ Property: ExecutableInfo
+ PropertyValue: "%DriverName%"
+ Values:
+ -
+ Name: DriverName
+ Value: "/Event/EventData/Data[@Name=\"DriverName\"]"
+
+# Documentation:
+# https://answers.microsoft.com/en-us/windows/forum/windows_8-hardware/event-410-kernel-pnp-logged-for-my-keyboard-the/36772d4b-8217-473e-8ffe-9e0b6b7f4cfa
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+#
+#
+#
+# 410
+# 0
+# 4
+# 0
+# 0
+# 0x4000000090000000
+#
+# 3067
+#
+#
+# Microsoft-Windows-Kernel-PnP/Configuration
+# HOSTNAME.domain.com
+#
+#
+#
+# SWD\ScDeviceEnum\6_Windows_Hello_for_Business_1
+# c_swdevice.inf
+# 62f9c741-b25a-46ce-b54c-9bccce08b6f2
+#
+#
+#
+# 0x0
+# 0x0
+#
+#
From f3f0056fc67caf163f295419defd84d85f50eeae Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 15:56:07 -0500
Subject: [PATCH 10/11] Create
Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_400.map
---
...ation_Microsoft-Windows-Kernel-PnP_400.map | 96 +++++++++++++++++++
1 file changed, 96 insertions(+)
create mode 100644 evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_400.map
diff --git a/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_400.map b/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_400.map
new file mode 100644
index 00000000..d536cba3
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_400.map
@@ -0,0 +1,96 @@
+Author: Andrew Rathbun
+Description: Device driver error
+EventId: 400
+Channel: "Microsoft-Windows-Kernel-PnP/Configuration"
+Provider: "Microsoft-Windows-Kernel-PnP"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "MatchingDeviceId: %MatchingDeviceId%"
+ Values:
+ -
+ Name: MatchingDeviceId
+ Value: "/Event/EventData/Data[@Name=\"MatchingDeviceId\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "DriverSection: %DriverSection%"
+ Values:
+ -
+ Name: DriverSection
+ Value: "/Event/EventData/Data[@Name=\"DriverSection\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "DriverProvider: %DriverProvider%"
+ Values:
+ -
+ Name: DriverProvider
+ Value: "/Event/EventData/Data[@Name=\"DriverProvider\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "DeviceUpdated: %DeviceUpdated%"
+ Values:
+ -
+ Name: DeviceUpdated
+ Value: "/Event/EventData/Data[@Name=\"DeviceUpdated\"]"
+ -
+ Property: PayloadData5
+ PropertyValue: "ParentDeviceInstanceId: %ParentDeviceInstanceId%"
+ Values:
+ -
+ Name: ParentDeviceInstanceId
+ Value: "/Event/EventData/Data[@Name=\"ParentDeviceInstanceId\"]"
+ -
+ Property: PayloadData6
+ PropertyValue: "DeviceInstanceID: %DeviceInstanceID%"
+ Values:
+ -
+ Name: DeviceInstanceID
+ Value: "/Event/EventData/Data[@Name=\"DeviceInstanceID\"]"
+ -
+ Property: ExecutableInfo
+ PropertyValue: "%DriverName%"
+ Values:
+ -
+ Name: DriverName
+ Value: "/Event/EventData/Data[@Name=\"DriverName\"]"
+
+# Documentation:
+# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-rank-ranges--windows-vista-and-later-
+# https://www.eventid.net/displayqueue.asp?eventid=400
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+#
+#
+#
+# 400
+# 0
+# 4
+# 0
+# 0
+# 0x4000000500000000
+#
+# 2811
+#
+#
+# Microsoft-Windows-Kernel-PnP/Configuration
+# HOSTNAME.domain.com
+#
+#
+#
+# SWD\PRINTENUM\{3CDEEBDB-6F0B-4ECB-94CD-3151F17A3B59}
+# printqueue.inf
+# 1ed2fff9-11f0-4084-b21f-ad83a8e6dcdc
+# 06/21/2006
+# 10.0.14393.0
+# Microsoft
+# True
+# NO_DRV_LOCAL
+# 0x1
+# PRINTENUM\LocalPrintQueue
+# oem0.inf:{013f01fa-e634-4d77-83ee-074817c03581}:00FF0002 c_swdevice.inf:SWD\GenericRaw:00FF3001
+# False
+# 0x0
+# SWD\PRINTENUM\PrintQueues
+#
+#
From 67a7c757061da34c1a21caf9575fa8ddf570d36c Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 9 Jan 2021 15:58:18 -0500
Subject: [PATCH 11/11] Update
Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
---
...osoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map | 1 -
1 file changed, 1 deletion(-)
diff --git a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
index 352ea6d3..6ce8cb5a 100644
--- a/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
+++ b/evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map
@@ -38,7 +38,6 @@ Maps:
# Free space and volume name of the attached drive can be derived from this event.
# Events are created during the first connection since the startup.
# So if the user removes the drive and attaches it again no new logs are going to be made according to my investigation.
-
#
# Example Event Data:
#