Merge pull request #200 from forensenellanebbia/master

AndrewRathbun · web-flow · commit 7b82a723dc4c · 2022-07-13T20:50:44.000-04:00
Deletion of old VHDMP maps and upload of new legacy/current maps
diff --git a/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_1_Current.map b/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_1_Current.map
@@ -1,7 +1,7 @@
-Author: Phill Moore, Hyun Yi @hyuunnn
+Author: Gabriele Zambelli @gazambelli
 Description: A VHD has been created
 EventId: 1
-Channel: "Microsoft-Windows-VHDMP/Operational"
+Channel: Microsoft-Windows-VHDMP-Operational
 Provider: Microsoft-Windows-VHDMP
 Maps:
   -
@@ -14,31 +14,39 @@ Maps:
       -
         Name: VhdNumber
         Value: "/Event/EventData/Data[@Name=\"VhdDiskNumber\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "VhdName: %VhdName%"
+    Values:
+      -
+        Name: VhdName
+        Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
 
 # Documentation:
 # https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
+# This map applies to Windows 10 / Windows 11 / Windows Server 2019
 #
 # Example Event Data:
-# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <Event>
 #   <System>
-#     <Provider Name="Microsoft-Windows-VHDMP" Guid="{GUID}" />
+#     <Provider Name="Microsoft-Windows-VHDMP" Guid="e2816346-87f4-4f85-95c3-0c79409aa89d" />
 #     <EventID>1</EventID>
 #     <Version>0</Version>
 #     <Level>4</Level>
 #     <Task>1205</Task>
 #     <Opcode>2</Opcode>
 #     <Keywords>0x8000000000000001</Keywords>
-#     <TimeCreated SystemTime="2020-12-29T02:31:57.0588526Z" />
-#     <EventRecordID>3316</EventRecordID>
+#     <TimeCreated SystemTime="2022-07-13 05:38:10.0560840" />
+#     <EventRecordID>15</EventRecordID>
 #     <Correlation />
-#     <Execution ProcessID="4" ThreadID="14296" />
+#     <Execution ProcessID="4" ThreadID="312" />
 #     <Channel>Microsoft-Windows-VHDMP-Operational</Channel>
-#     <Computer>ComputerName</Computer>
-#     <Security UserID="{UserID}" />
+#     <Computer>VMWIN11</Computer>
+#     <Security UserID="S-1-5-18" />
 #   </System>
 #   <EventData>
-#     <Data Name="VhdFileName">C:\Users\hyuunnn\Desktop\test.vhd</Data>
-#     <Data Name="VhdDiskNumber">3</Data>
-#     <Data Name="VirtualDisk">0xffffdf0130cd8280</Data>
+#     <Data Name="VhdFileName">C:\Users\standard\Desktop\TEST.vhdx</Data>
+#     <Data Name="VhdDiskNumber">1</Data>
+#     <Data Name="VirtualDisk">0xFFFFB188D20EF040</Data>
 #   </EventData>
 # </Event>
diff --git a/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_1_Legacy.map b/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_1_Legacy.map
@@ -0,0 +1,51 @@
+Author: Phill Moore, Hyun Yi @hyuunnn, Gabriele Zambelli
+Description: A VHD has been created
+EventId: 1
+Channel: "Microsoft-Windows-VHDMP/Operational"
+Provider: Microsoft-Windows-VHDMP
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "The VHD %VhdName% has been created (surfaced) as disk number %VhdNumber%"
+    Values:
+      -
+        Name: VhdName
+        Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
+      -
+        Name: VhdNumber
+        Value: "/Event/EventData/Data[@Name=\"VhdDiskNumber\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "VhdName: %VhdName%"
+    Values:
+      -
+        Name: VhdName
+        Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
+
+# Documentation:
+# https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
+# This legacy map applies to Windows 8 / Windows Server 2012. The channel name "Microsoft-Windows-VHDMP/Operational" was renamed to "Microsoft-Windows-VHDMP-Operational" in more recent operating systems.
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-VHDMP" Guid="e2816346-87f4-4f85-95c3-0c79409aa89d" />
+#     <EventID>1</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x8000000000000000</Keywords>
+#     <TimeCreated SystemTime="2022-07-11 14:02:51.0410456" />
+#     <EventRecordID>1</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="4" ThreadID="3868" />
+#     <Channel>Microsoft-Windows-VHDMP/Operational</Channel>
+#     <Computer>WIN-QSQO10V59K4</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="VhdFileName">C:\Users\Administrator\Desktop\TEST.vhdx</Data>
+#     <Data Name="VhdDiskNumber">1</Data>
+#   </EventData>
+# </Event>
diff --git a/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2_Current.map b/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2_Current.map
@@ -0,0 +1,51 @@
+Author: Gabriele Zambelli @gazambelli
+Description: A VHD has been removed
+EventId: 2
+Channel: Microsoft-Windows-VHDMP-Operational
+Provider: Microsoft-Windows-VHDMP
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "The VHD %VhdName% has been removed (unsurfaced) as disk number %VhdNumber%"
+    Values:
+      -
+        Name: VhdName
+        Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
+      -
+        Name: VhdNumber
+        Value: "/Event/EventData/Data[@Name=\"VhdDiskNumber\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "VhdName: %VhdName%"
+    Values:
+      -
+        Name: VhdName
+        Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
+
+# Documentation:
+# https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
+# This map applies to Windows 10 / Windows 11 / Windows Server 2019
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-VHDMP" Guid="e2816346-87f4-4f85-95c3-0c79409aa89d" />
+#     <EventID>2</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x8000000000000000</Keywords>
+#     <TimeCreated SystemTime="2022-06-18 18:09:53.7040183" />
+#     <EventRecordID>4</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="4864" ThreadID="3524" />
+#     <Channel>Microsoft-Windows-VHDMP-Operational</Channel>
+#     <Computer>WIN-M2J77GC10N1</Computer>
+#     <Security UserID="S-1-5-21-1018296586-1262379815-4003437281-500" />
+#   </System>
+#   <EventData>
+#     <Data Name="VhdFileName">C:\Users\Administrator\Documents\TEST.vhdx</Data>
+#     <Data Name="VhdDiskNumber">1</Data>
+#   </EventData>
+# </Event>
diff --git a/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2_Legacy.map b/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2_Legacy.map
@@ -1,4 +1,4 @@
-Author: Phill Moore
+Author: Phill Moore, Gabriele Zambelli
 Description: A VHD has been removed
 EventId: 2
 Channel: "Microsoft-Windows-VHDMP/Operational"
@@ -14,9 +14,17 @@ Maps:
       -
         Name: VhdNumber
         Value: "/Event/EventData/Data[@Name=\"VhdDiskNumber\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "VhdName: %VhdName%"
+    Values:
+      -
+        Name: VhdName
+        Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
 
 # Documentation:
 # https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
+# This legacy map applies to Windows 8 / Windows Server 2012. The channel name "Microsoft-Windows-VHDMP/Operational" was renamed to "Microsoft-Windows-VHDMP-Operational" in more recent operating systems.
 #
 # Example Event Data:
 # <Event>
