Skip to content

Commit 73e6ab3

Browse files
AndrewRathbunAndrewRathbun
authored
Merge pull request #79 from hyuunnn/master
add maps
2 parents 8e85dcf + 7b8bbfb commit 73e6ab3

13 files changed

+532
-6
lines changed

evtx/Maps/Application_MsiInstaller_10002.map evtx/Maps/Application_Microsoft-Windows-RestartManager_10002.map

+5-5
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,25 @@
11
Author: Hyun Yi @hyuunnn
2-
Description: Terminated due to non-response
2+
Description: Shutting down application or service
33
EventId: 10002
44
Channel: "Application"
55
Provider: "Microsoft-Windows-RestartManager"
66
Maps:
77
-
8-
Property: PayloadData1
9-
PropertyValue: "FullPath: %FullPath%"
8+
Property: ExecutableInfo
9+
PropertyValue: "%FullPath%"
1010
Values:
1111
-
1212
Name: FullPath
1313
Value: "/Event/UserData/RmApplicationEvent/FullPath"
1414
-
15-
Property: PayloadData2
15+
Property: PayloadData1
1616
PropertyValue: "DisplayName: %DisplayName%"
1717
Values:
1818
-
1919
Name: DisplayName
2020
Value: "/Event/UserData/RmApplicationEvent/DisplayName"
2121
-
22-
Property: PayloadData3
22+
Property: PayloadData2
2323
PropertyValue: "Files: %Files%"
2424
Values:
2525
-

evtx/Maps/Application_Microsoft-Windows-Winsrv_10002.map

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
Author: Hyun Yi @hyuunnn
2+
Description: Terminated due to non-response
3+
EventId: 10002
4+
Channel: "Application"
5+
Provider: "Microsoft-Windows-Winsrv"
6+
Maps:
7+
-
8+
Property: ExecutableInfo
9+
PropertyValue: "%AppName%"
10+
Values:
11+
-
12+
Name: AppName
13+
Value: "/Event/UserData/HungAppEvent/AppName"
14+
15+
# Documentation:
16+
# N/A
17+
#
18+
# Example Event Data:
19+
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
20+
# <System>
21+
# <Provider Name="Microsoft-Windows-Winsrv" Guid="{GUID}" />
22+
# <EventID>10002</EventID>
23+
# <Version>0</Version>
24+
# <Level>4</Level>
25+
# <Task>0</Task>
26+
# <Opcode>0</Opcode>
27+
# <Keywords>0x8000000000000000</Keywords>
28+
# <TimeCreated SystemTime="2020-12-28T16:45:14.6424242Z" />
29+
# <EventRecordID>31565</EventRecordID>
30+
# <Correlation />
31+
# <Execution ProcessID="11364" ThreadID="23376" />
32+
# <Channel>Application</Channel>
33+
# <Computer>ComputerName</Computer>
34+
# <Security UserID="{UserID}" />
35+
# </System>
36+
# <UserData>
37+
# <HungAppEvent xmlns="http://manifests.microsoft.com/win/2004/08/windows/winsrv">
38+
# <AppName>PotPlayer.exe</AppName>
39+
# </HungAppEvent>
40+
# </UserData>
41+
# </Event>

evtx/Maps/Application_System Restore_8194.map

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
Author: Hyun Yi @hyuunnn
2+
Description: Restore point created successfully
3+
EventId: 8194
4+
Channel: "Application"
5+
Provider: "System Restore"
6+
Maps:
7+
-
8+
Property: PayloadData1
9+
PropertyValue: "Data: %Data%"
10+
Values:
11+
-
12+
Name: Data
13+
Value: "/Event/EventData/Data"
14+
15+
# Documentation:
16+
# N/A
17+
#
18+
# Example Event Data:
19+
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
20+
# <System>
21+
# <Provider Name="System Restore" />
22+
# <EventID Qualifiers="0">8194</EventID>
23+
# <Version>0</Version>
24+
# <Level>4</Level>
25+
# <Task>0</Task>
26+
# <Opcode>0</Opcode>
27+
# <Keywords>0x80000000000000</Keywords>
28+
# <TimeCreated SystemTime="2020-10-12T07:13:41.6976173Z" />
29+
# <EventRecordID>2347</EventRecordID>
30+
# <Correlation />
31+
# <Execution ProcessID="0" ThreadID="0" />
32+
# <Channel>Application</Channel>
33+
# <Computer>ComputerName</Computer>
34+
# <Security />
35+
# </System>
36+
# <EventData>
37+
# <Data>C:\WINDOWS\system32\msiexec.exe /V</Data>
38+
# <Data>Installed AccessData FTK Imager.</Data>
39+
# <Binary>{Binary}</Binary>
40+
# </EventData>
41+
# </Event>

evtx/Maps/Application_System Restore_8195.map

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
Author: Hyun Yi @hyuunnn
2+
Description: System Restore has been disabled
3+
EventId: 8195
4+
Channel: "Application"
5+
Provider: "System Restore"
6+
Maps:
7+
-
8+
Property: PayloadData1
9+
PropertyValue: "Data: %Data%"
10+
Values:
11+
-
12+
Name: Data
13+
Value: "/Event/EventData/Data"
14+
15+
# Documentation:
16+
# N/A
17+
#
18+
# Example Event Data:
19+
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
20+
# <System>
21+
# <Provider Name="System Restore" />
22+
# <EventID Qualifiers="0">8195</EventID>
23+
# <Version>0</Version>
24+
# <Level>4</Level>
25+
# <Task>0</Task>
26+
# <Opcode>0</Opcode>
27+
# <Keywords>0x80000000000000</Keywords>
28+
# <TimeCreated SystemTime="2020-10-06T16:54:14.3633432Z" />
29+
# <EventRecordID>390</EventRecordID>
30+
# <Correlation />
31+
# <Execution ProcessID="0" ThreadID="0" />
32+
# <Channel>Application</Channel>
33+
# <Computer>ComputerName</Computer>
34+
# <Security />
35+
# </System>
36+
# <EventData>
37+
# <Data>C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.504_none_e781e76525fb2269\TiWorker.exe -Embedding</Data>
38+
# <Data />
39+
# <Binary>{Binary}</Binary>
40+
# </EventData>
41+
# </Event>

evtx/Maps/Application_System Restore_8196.map

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
Author: Hyun Yi @hyuunnn
2+
Description: System Restore has been enabled
3+
EventId: 8196
4+
Channel: "Application"
5+
Provider: "System Restore"
6+
Maps:
7+
-
8+
Property: PayloadData1
9+
PropertyValue: "Data: %Data%"
10+
Values:
11+
-
12+
Name: Data
13+
Value: "/Event/EventData/Data"
14+
15+
# Documentation:
16+
# N/A
17+
#
18+
# Example Event Data:
19+
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
20+
# <System>
21+
# <Provider Name="System Restore" />
22+
# <EventID Qualifiers="0">8196</EventID>
23+
# <Version>0</Version>
24+
# <Level>4</Level>
25+
# <Task>0</Task>
26+
# <Opcode>0</Opcode>
27+
# <Keywords>0x80000000000000</Keywords>
28+
# <TimeCreated SystemTime="2020-10-06T16:54:14.5351795Z" />
29+
# <EventRecordID>391</EventRecordID>
30+
# <Correlation />
31+
# <Execution ProcessID="0" ThreadID="0" />
32+
# <Channel>Application</Channel>
33+
# <Computer>ComputerName</Computer>
34+
# <Security />
35+
# </System>
36+
# <EventData>
37+
# <Data>C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.504_none_e781e76525fb2269\TiWorker.exe -Embedding</Data>
38+
# <Data />
39+
# <Binary>{Binary}</Binary>
40+
# </EventData>
41+
# </Event>

evtx/Maps/Microsoft-Windows-TZUtil-Operational_Microsoft-Windows-TZUtil_20001.map

+39
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
Author: Hyun Yi @hyuunnn
2+
Description: TZUtil (changed timezone)
3+
EventId: 20001
4+
Channel: "Microsoft-Windows-TZUtil/Operational"
5+
Provider: "Microsoft-Windows-TZUtil"
6+
Maps:
7+
-
8+
Property: PayloadData1
9+
PropertyValue: "Time Zone: %Time Zone%"
10+
Values:
11+
-
12+
Name: Time Zone
13+
Value: "/Event/EventData/Data[@Name=\"Time Zone\"]"
14+
15+
# Documentation:
16+
# https://www.action1.com/kb/changing-the-time-zone-in-CMD-Windows-10.html
17+
#
18+
# Example Event Data:
19+
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
20+
# <System>
21+
# <Provider Name="Microsoft-Windows-TZUtil" Guid="{GUID}" />
22+
# <EventID>20001</EventID>
23+
# <Version>0</Version>
24+
# <Level>4</Level>
25+
# <Task>31</Task>
26+
# <Opcode>33</Opcode>
27+
# <Keywords>0x8000000000000000</Keywords>
28+
# <TimeCreated SystemTime="2020-12-29T10:21:46.0662054Z" />
29+
# <EventRecordID>2</EventRecordID>
30+
# <Correlation />
31+
# <Execution ProcessID="25988" ThreadID="9512" />
32+
# <Channel>Microsoft-Windows-TZUtil/Operational</Channel>
33+
# <Computer>ComputerName</Computer>
34+
# <Security UserID="{UserID}" />
35+
# </System>
36+
# <EventData>
37+
# <Data Name="Time Zone">Korea Standard Time</Data>
38+
# </EventData>
39+
# </Event>

evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_1.map

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
Author: Phill Moore, Hyun Yi @hyuunnn
2+
Description: A VHD has been created
3+
EventId: 1
4+
Channel: "Microsoft-Windows-VHDMP/Operational"
5+
Provider: Microsoft-Windows-VHDMP
6+
Maps:
7+
-
8+
Property: PayloadData1
9+
PropertyValue: "The VHD %VhdName% has been created (surfaced) as disk number %VhdNumber%"
10+
Values:
11+
-
12+
Name: VhdName
13+
Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
14+
-
15+
Name: VhdNumber
16+
Value: "/Event/EventData/Data[@Name=\"VhdDiskNumber\"]"
17+
18+
# Documentation:
19+
# N/A
20+
#
21+
# Example Event Data:
22+
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
23+
# <System>
24+
# <Provider Name="Microsoft-Windows-VHDMP" Guid="{GUID}" />
25+
# <EventID>1</EventID>
26+
# <Version>0</Version>
27+
# <Level>4</Level>
28+
# <Task>1205</Task>
29+
# <Opcode>2</Opcode>
30+
# <Keywords>0x8000000000000001</Keywords>
31+
# <TimeCreated SystemTime="2020-12-29T02:31:57.0588526Z" />
32+
# <EventRecordID>3316</EventRecordID>
33+
# <Correlation />
34+
# <Execution ProcessID="4" ThreadID="14296" />
35+
# <Channel>Microsoft-Windows-VHDMP-Operational</Channel>
36+
# <Computer>ComputerName</Computer>
37+
# <Security UserID="{UserID}" />
38+
# </System>
39+
# <EventData>
40+
# <Data Name="VhdFileName">C:\Users\hyuunnn\Desktop\test.vhd</Data>
41+
# <Data Name="VhdDiskNumber">3</Data>
42+
# <Data Name="VirtualDisk">0xffffdf0130cd8280</Data>
43+
# </EventData>
44+
# </Event>

evtx/Maps/Microsoft-Windows-Windows-Firewall-With-Advanced-Security-Firewall_Microsoft-Windows-Windows-Firewall-With-Advanced-Security_2003.map

+53
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
Author: Hyun Yi @hyuunnn
2+
Description: The firewall has enabled/disabled.
3+
EventId: 2003
4+
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
5+
Provider: Microsoft-Windows-Windows Firewall With Advanced Security
6+
Maps:
7+
-
8+
Property: PayloadData1
9+
PropertyValue: "SettingValue: %SettingValue%"
10+
Values:
11+
-
12+
Name: SettingValue
13+
Value: "/Event/EventData/Data[@Name=\"SettingValue\"]"
14+
Lookups:
15+
-
16+
Name: SettingValue
17+
Default: Unknown code
18+
Values:
19+
01-00-00-00: Enable
20+
00-00-00-00: Disable
21+
22+
# Documentation:
23+
# https://kb.eventtracker.com/evtpass/evtPages/EventId_2003_Microsoft-Windows-WindowsFirewallwithAdvancedS_65672.asp
24+
#
25+
# Example Event Data:
26+
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
27+
# <System>
28+
# <Provider Name="Microsoft-Windows-Windows Firewall With Advanced Security" Guid="{GUID}" />
29+
# <EventID>2003</EventID>
30+
# <Version>0</Version>
31+
# <Level>4</Level>
32+
# <Task>0</Task>
33+
# <Opcode>0</Opcode>
34+
# <Keywords>0x8000000000000000</Keywords>
35+
# <TimeCreated SystemTime="2020-12-29T08:02:40.1537755Z" />
36+
# <EventRecordID>3921</EventRecordID>
37+
# <Correlation />
38+
# <Execution ProcessID="2952" ThreadID="5308" />
39+
# <Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
40+
# <Computer>ComputerName</Computer>
41+
# <Security UserID="{UserID}" />
42+
# </System>
43+
# <EventData>
44+
# <Data Name="Profiles">2</Data>
45+
# <Data Name="SettingType">1</Data>
46+
# <Data Name="SettingValueSize">4</Data>
47+
# <Data Name="SettingValue">01000000</Data>
48+
# <Data Name="SettingValueString">Yes</Data>
49+
# <Data Name="Origin">1</Data>
50+
# <Data Name="ModifyingUser">S-1-5-21-513373498-3903154681-3342767705-1001</Data>
51+
# <Data Name="ModifyingApplication">C:\Windows\explorer.exe</Data>
52+
# </EventData>
53+
# </Event>

evtx/Maps/Microsoft-Windows-Windows-Firewall-With-Advanced-Security-Firewall_Microsoft-Windows-Windows-Firewall-With-Advanced-Security_2004.map

+29-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
Author: peter.snyder@kroll.com
1+
Author: peter.snyder@kroll.com, Hyun Yi @hyuunnn
22
Description: FW rule added to exception list
33
EventId: 2004
44
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
@@ -38,6 +38,34 @@ Maps:
3838
-
3939
Name: Direction
4040
Value: "/Event/EventData/Data[@Name=\"Direction\"]"
41+
-
42+
Property: PayloadData4
43+
PropertyValue: "Action: %Action%"
44+
Values:
45+
-
46+
Name: Action
47+
Value: "/Event/EventData/Data[@Name=\"Action\"]"
48+
-
49+
Property: PayloadData5
50+
PropertyValue: "Protocol: %Protocol%"
51+
Values:
52+
-
53+
Name: Protocol
54+
Value: "/Event/EventData/Data[@Name=\"Protocol\"]"
55+
Lookups:
56+
-
57+
Name: Action
58+
Default: Unknown code
59+
Values:
60+
2: Block
61+
3: Allow
62+
-
63+
Name: Protocol
64+
Default: Unknown code
65+
Values:
66+
6: TCP
67+
17: UDP
68+
256: All
4169

4270
# Documentation:
4371
# https://kb.eventtracker.com/evtpass/evtPages/EventId_2004_Microsoft-Windows-WindowsFirewallwithAdvancedS_65673.asp

0 commit comments

Comments
 (0)