Merge pull request #178 from AndrewRathbun/master

AndrewRathbun · web-flow · commit 3ee23226e254 · 2021-11-25T23:49:41.000-05:00
Added Application_MsiInstaller_1040 and 1042
diff --git a/evtx/Maps/Application_MsiInstaller_1040.map b/evtx/Maps/Application_MsiInstaller_1040.map
@@ -0,0 +1,40 @@
+Author: Andrew Rathbun
+Description: Installer Started
+EventId: 1040
+Channel: Application
+Provider: "MsiInstaller"
+Maps:
+  -
+    Property: ExecutableInfo
+    PropertyValue: "%ExecutableInfo%"
+    Values:
+      -
+        Name: ExecutableInfo
+        Value: "/Event/EventData/Data"
+        Refine: ^[\w,\s-]+\.[A-Za-z]{3}$
+
+# Documentation
+# https://docs.logrhythm.com/docs/devices/ms-windows-event-log-sources/ms-windows-event-logging-xml-application/evid-1040-1042-msiinstaller
+#
+# <Event>
+#   <System>
+#     <Provider Name="MsiInstaller" />
+#     <EventID Qualifiers="0">1040</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2021-11-08 18:50:46.8840358" />
+#     <EventRecordID>44245</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="17924" ThreadID="0" />
+#     <Channel>Application</Channel>
+#     <Computer>hostname</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data>C:\Program Files (x86)\Dropbox\Update\1.3.547.1\DropboxUpdateHelper.msi, 1872, (NULL), (NULL), (NULL), (NULL)</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>
diff --git a/evtx/Maps/Application_MsiInstaller_1042.map b/evtx/Maps/Application_MsiInstaller_1042.map
@@ -0,0 +1,40 @@
+Author: Andrew Rathbun
+Description: Installer Exited
+EventId: 1042
+Channel: Application
+Provider: "MsiInstaller"
+Maps:
+  -
+    Property: ExecutableInfo
+    PropertyValue: "%ExecutableInfo%"
+    Values:
+      -
+        Name: ExecutableInfo
+        Value: "/Event/EventData/Data"
+        Refine: ^[\w,\s-]+\.[A-Za-z]{3}$
+
+# Documentation
+# https://docs.logrhythm.com/docs/devices/ms-windows-event-log-sources/ms-windows-event-logging-xml-application/evid-1040-1042-msiinstaller
+#
+# <Event>
+#   <System>
+#     <Provider Name="MsiInstaller" />
+#     <EventID Qualifiers="0">1042</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2021-10-19 20:08:07.0705421" />
+#     <EventRecordID>40856</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="38288" ThreadID="0" />
+#     <Channel>Application</Channel>
+#     <Computer>hostname</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data>c:\program files\microsoft office\root\integration\c2rint.16.msi, 20616, (NULL), (NULL), (NULL), (NULL)</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>
