Merge pull request #171 from AndrewRathbun/master

Update Sysmon events with User fields

Author: AndrewRathbun

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map

@@ -4,7 +4,13 @@ EventId: 1
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
-
+  -
+    Property: UserName
+    PropertyValue: "ParentUser: %ParentUser%"
+    Values:
+      -
+        Name: ParentUser
+        Value: "/Event/EventData/Data[@Name=\"ParentUser\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%CommandLine%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map

@@ -4,6 +4,16 @@ EventId: 10
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "SourceUser: %SourceUser% | TargetUser: %TargetUser%"
+    Values:
+      -
+        Name: SourceUser
+        Value: "/Event/EventData/Data[@Name=\"SourceUser\"]"
+      -
+        Name: TargetUser
+        Value: "/Event/EventData/Data[@Name=\"TargetUser\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "CallTrace: %CallTrace%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map

@@ -4,6 +4,13 @@ EventId: 11
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map

@@ -4,6 +4,13 @@ EventId: 12
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map

@@ -4,6 +4,13 @@ EventId: 13
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map

@@ -4,6 +4,13 @@ EventId: 14
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map

@@ -4,6 +4,13 @@ EventId: 15
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map

@@ -4,6 +4,13 @@ EventId: 17
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map

@@ -4,6 +4,13 @@ EventId: 18
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map

@@ -4,7 +4,13 @@ EventId: 2
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
-
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map

@@ -4,6 +4,13 @@ EventId: 22
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_24.map

@@ -4,6 +4,13 @@ EventId: 24
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%Image%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_25.map

@@ -4,6 +4,13 @@ EventId: 25
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%Image%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map

@@ -4,6 +4,13 @@ EventId: 5
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%FilePath%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map

@@ -4,6 +4,13 @@ EventId: 7
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%ImageLoaded%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map

@@ -4,6 +4,16 @@ EventId: 8
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "SourceUser: %SourceUser% | TargetUser: %TargetUser%"
+    Values:
+      -
+        Name: SourceUser
+        Value: "/Event/EventData/Data[@Name=\"SourceUser\"]"
+      -
+        Name: TargetUser
+        Value: "/Event/EventData/Data[@Name=\"TargetUser\"]"
   -
     Property: PayloadData1
     PropertyValue: "StartAddress: %StartAddress%"

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map

@@ -4,6 +4,13 @@ EventId: 9
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"

evtx/Maps/Windows-PowerShell_PowerShell_800.map

@@ -0,0 +1,68 @@
+Author: Andrew Rathbun
+Description: Pipeline Execution Details
+EventId: 800
+Channel: Windows PowerShell
+Provider: PowerShell
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%HostApplication%"
+    Values:
+      -
+        Name: HostApplication
+        Value: "/Event/EventData/Data"
+        Refine: "HostApplication=(.+)"
+  -
+    Property: PayloadData2
+    PropertyValue: "%HostName%"
+    Values:
+      -
+        Name: HostName
+        Value: "/Event/EventData/Data"
+        Refine: "HostName=(.+)"
+  -
+    Property: PayloadData3
+    PropertyValue: "%HostVersion%"
+    Values:
+      -
+        Name: HostVersion
+        Value: "/Event/EventData/Data"
+        Refine: "HostVersion=(.+)"
+
+# Documentation:
+# https://www.myeventlog.com/search/show/975
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#  <System>
+#    <Provider Name="PowerShell" />
+#    <EventID Qualifiers="0">600</EventID>
+#    <Level>4</Level>
+#    <Task>6</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2001-01-01T01:01:01.012345678Z" />
+#    <EventRecordID>18</EventRecordID>
+#    <Channel>Windows PowerShell</Channel>
+#    <Computer>name.domain.tld</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>Registry, Started, 	ProviderName=Registry
+# NewProviderState=Started
+#
+# SequenceNumber=1
+#
+# HostName=ConsoleHost
+# HostVersion=5.1.18362.145
+# HostId=b3dfcb89-d2f8-4b8b-a784-a6a9bcf61bd8
+# HostApplication=powershell  -command Set-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\Outlook\AutoDiscover -Name 'ExcludeExplicitO365Endpoint' -Value 1 -Type DWORD -Force
+# EngineVersion=
+# RunspaceId=
+# PipelineId=
+# CommandName=
+# CommandType=
+# ScriptName=
+# CommandPath=
+# CommandLine=</Data>
+# </EventData>
+# </Event>