System_Microsoft-Antimalware_1116.map

Author: Peter Snyder
Description: Microsoft Antimalware Detection
EventId: 1116
Channel: "System"
Provider: "Microsoft Antimalware"
Maps:
  -
    Property: ExecutableInfo
    PropertyValue: "%ExecutableInfo%"
    Values:
      -
        Name: ExecutableInfo
        Value: "/Event/EventData/Data"
        Refine: ([a-zA-Z0-9_\\.\-\(\):])+(.exe|.dll)
  -
    Property: PayloadData1
    PropertyValue: "%PayloadData1%"
    Values:
      -
        Name: PayloadData1
        Value: "/Event/EventData/Data"
        Refine: \s\bBehavior\:+\S+\b

#<Event>
# <System>
#   <Provider Name="Microsoft Antimalware" />
#   <EventID Qualifiers="0">1116</EventID>
#   <Level>3</Level>
#   <Task>0</Task>
#   <Keywords>0x80000000000000</Keywords>
#   <TimeCreated SystemTime="2020-10-14 02:26:50.0000000" />
#   <EventRecordID>3271022</EventRecordID>
#   <Channel>System</Channel>
#   <Computer>HOSTNAME.domain.org</Computer>
#   <Security />
# </System>
# <EventData>
#   <Data>%%860, 4.10.209.0, {E9FF2015-5869-4EF4-BB52-283378C70991}, 2020-10-14T02:26:50.827Z, 268617, App:TeamRedMiner, 2, Medium, 27, Potentially Unwanted Software, http://go.microsoft.com/fwlink/?linkid=37020&amp;amp;name=App:TeamRedMiner&amp;amp;threatid=268617&amp;amp;enterprise=1, 1, 1, 2, %%820, Unknown, NT AUTHORITY\SYSTEM, file:_C:\Windows\System32\Tasks\Microsoft\Windows\UNP\UNP-&amp;gt;(UTF-16LE);file:_C:\windows\temp\zeb72406ed\service.exe;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{758C36A0-04C6-4A6E-A1C3-E26055748E73};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\UNP;taskscheduler:_C:\Windows\System32\Tasks\Microsoft\Windows\UNP\UNP, 1, %%845, 0, %%812, 0, %%822, 0, 9, %%887, 0x00000000, The operation completed successfully. , 0, 0, No additional actions required, AV: 1.325.422.0, AS: 1.325.422.0, NIS: 119.0.0.0, AM: 1.1.17500.4, NIS: 2.1.14600.4</Data>
#   <Binary></Binary>
# </EventData>
# </Event>