Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EvtxECmd: same Channel name, but spelled differently depending on the OS #188

Closed
forensenellanebbia opened this issue Jul 11, 2022 · 7 comments
Closed

EvtxECmd: same Channel name, but spelled differently depending on the OS #188

forensenellanebbia opened this issue Jul 11, 2022 · 7 comments

Comments

@forensenellanebbia
Copy link

forensenellanebbia commented Jul 11, 2022
edited
Loading

I've come across a Channel whose name changes slightly depending on the operating system: it's Microsoft-Windows-VHDMP/Operational on Win8/WS2012, but becomes Microsoft-Windows-VHDMP-Operational on Win10/Win11/WS2019. The difference of a single character is enough to break the two existing maps:

  • Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_1.map
  • Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2.map

Is there a way to make a map work in both cases? I guess there may be other situations like this one.

I'm using EvtxECmd (v1.0.0.0). I've attached two EVTX files.

Here are some comparisons:

  • OS: Windows 8 / Windows Server 2012

<Channel>Microsoft-Windows-VHDMP/Operational</Channel>
Evtx file: Microsoft-Windows-VHDMP%4Operational.evtx
Sample: WS2012_Microsoft-Windows-VHDMP%4Operational.zip

Event ID 1: A VHD has come online (surfaced)

<Event>
  <System>
    <Provider Name="Microsoft-Windows-VHDMP" Guid="e2816346-87f4-4f85-95c3-0c79409aa89d" />
    <EventID>1</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2022-07-11 14:02:51.0410456" />
    <EventRecordID>1</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="3868" />
    <Channel>Microsoft-Windows-VHDMP/Operational</Channel>
    <Computer>WIN-QSQO10V59K4</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="VhdFileName">C:\Users\Administrator\Desktop\TEST.vhdx</Data>
    <Data Name="VhdDiskNumber">1</Data>
  </EventData>
</Event>
  • OS: Windows 10 / Windows 11 / Windows Server 2019

<Channel>Microsoft-Windows-VHDMP-Operational</Channel>
Evtx file: Microsoft-Windows-VHDMP-Operational.evtx
Sample: WS2019_Microsoft-Windows-VHDMP-Operational.zip

Event ID 1: A VHD has come online (surfaced)

<Event>
  <System>
    <Provider Name="Microsoft-Windows-VHDMP" Guid="e2816346-87f4-4f85-95c3-0c79409aa89d" />
    <EventID>1</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2022-06-18 18:08:56.2583009" />
    <EventRecordID>3</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="6140" />
    <Channel>Microsoft-Windows-VHDMP-Operational</Channel>
    <Computer>WIN-M2J77GC10N1</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="VhdFileName">C:\Users\Administrator\Documents\DiscoVHDX.vhdx</Data>
    <Data Name="VhdDiskNumber">1</Data>
  </EventData>
</Event>
@AndrewRathbun
Copy link

Have we tried to add a * to see if wildcards are implemented for the Channel field? Maybe that could account for the / and the - characters. I'm guessing that won't work but only way to find out.

If that doesn't work, one option that involves no work on Eric's part would be to just make another with the updated Channel field, but then we'd have to figure out how to differentiate the filename. That wouldn't be hard, it would just break general Map naming convention, but it'd be (at this point) a one-off instance.

@forensenellanebbia
Copy link
Author

Just tried, but the wildcard for the Channel field doesn't work.

To differentiate the two versions of these maps, we could add _W10 or _WS2012 at the end in the filename, or more simply _dash and _slash. These are the first ideas that come to my mind.

@AndrewRathbun
Copy link

AndrewRathbun commented Jul 12, 2022
edited
Loading

I like the W10/WS2012 approach, but I think a slightly more generalized version might be better: Consumer or Server. Thoughts on that? I am guessing it's the same in W11 as well so that's why Consumer might be a more universally appropriate solution. Same logic goes with Server.

@forensenellanebbia
Copy link
Author

I've updated my first message based on some additional tests I made on a couple of VMs running Win8 and Win11.

In the beginning I liked the idea of Consumer and Server, but I thought it'd be hard to clearly differentiate them as WS2012 is based on Win8 and WS2019 on Win10.

What about _W8 and _W10 (where needed)? It's short and wouldn't add too many additional characters to maps with very long names.

@AndrewRathbun
Copy link

Another idea is Legacy and Current? Then just add notes in the documentation about your findings. Thoughts?

@forensenellanebbia
Copy link
Author

I like it!

@AndrewRathbun
Copy link

Good deal. @forensenellanebbia did you want to do a PR on the evtx repo with this agreed upon resolution? If so, we can close this issue IMO.

@AndrewRathbun AndrewRathbun mentioned this issue Jul 14, 2022
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@forensenellanebbia @AndrewRathbun