Merge pull request #5 from EricZimmerman/master

update repo

Author: AndrewRathbun

EvtxECmd/App.config

@@ -1,22 +1,21 @@
-<?xml version="1.0" encoding="utf-8"?>
-
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <configSections>
   </configSections>
   <startup>
-    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
+    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.2"/>
   </startup>
   <runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
-        <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />
+        <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0"/>
       </dependentAssembly>
 
       <dependentAssembly>
-        <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />
+        <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0"/>
       </dependentAssembly>
     </assemblyBinding>
   </runtime>
-</configuration>
+</configuration>

EvtxECmd/EvtxECmd.csproj

@@ -8,7 +8,7 @@
     <OutputType>Exe</OutputType>
     <RootNamespace>EvtxECmd</RootNamespace>
     <AssemblyName>EvtxECmd</AssemblyName>
-    <TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
+    <TargetFrameworkVersion>v4.6.2</TargetFrameworkVersion>
     <FileAlignment>512</FileAlignment>
     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
     <Deterministic>true</Deterministic>
@@ -88,7 +88,7 @@
       <Version>4.1.0</Version>
     </PackageReference>
     <PackageReference Include="CsvHelper">
-      <Version>16.1.0</Version>
+      <Version>17.0.1</Version>
     </PackageReference>
     <PackageReference Include="Exceptionless">
       <Version>4.5.0</Version>
@@ -105,7 +105,7 @@
       <Version>12.0.3</Version>
     </PackageReference>
     <PackageReference Include="NLog">
-      <Version>4.7.5</Version>
+      <Version>4.7.6</Version>
     </PackageReference>
     <PackageReference Include="ServiceStack.Text">
       <Version>5.10.2</Version>

EvtxECmd/Program.cs

@@ -741,18 +741,35 @@ private static void UpdateFromRepo()
 
             var newMapPath = Path.Combine(BaseDirectory, "evtx-master","evtx", "Maps");
 
-            var orgMapMath = Path.Combine(BaseDirectory, "Maps");
+            var orgMapPath = Path.Combine(BaseDirectory, "Maps");
 
             var newMaps = Directory.GetFiles(newMapPath);
 
             var newlocalMaps = new List<string>();
 
             var updatedlocalMaps = new List<string>();
 
+            if (File.Exists(Path.Combine(orgMapPath, "Security_4624.map")))
+            {
+                _logger.Warn($"Old map format found. Zipping to '!!oldMaps.zip' and cleaning up old maps");
+                //old maps found, so zip em first
+                var oldZip = Path.Combine(orgMapPath, "!!oldMaps.zip");
+                fff.CreateZip(oldZip,orgMapPath,false,@"\.map$");
+                foreach (var m in Directory.GetFiles(orgMapPath,"*.map"))
+                {
+                    File.Delete(m);
+                }
+            }
+
+            if (File.Exists(Path.Combine(orgMapPath, "!!!!README.txt")))
+            {
+                File.Delete(Path.Combine(orgMapPath, "!!!!README.txt"));
+            }
+
             foreach (var newMap in newMaps)
             {
                 var mName = Path.GetFileName(newMap);
-                var dest = Path.Combine(orgMapMath, mName);
+                var dest = Path.Combine(orgMapPath, mName);
 
                 if (File.Exists(dest) == false)
                 {
@@ -769,7 +786,6 @@ private static void UpdateFromRepo()
                     {
                         //updated file
                         updatedlocalMaps.Add(mName);
-
 
                     }
                 }
@@ -841,7 +857,7 @@ private static void ProcessFile(string file)
             {
                 fileS = new FileStream(file, FileMode.Open, FileAccess.Read);
             }
-            catch (Exception ex)
+            catch (Exception)
             {
                 //file is in use
 

EvtxECmd/Properties/AssemblyInfo.cs

@@ -31,5 +31,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("0.6.0.3")]
-[assembly: AssemblyFileVersion("0.6.0.3")]
+[assembly: AssemblyVersion("0.6.5.0")]
+[assembly: AssemblyFileVersion("0.6.5.0")]

evtx.Test/evtx.Test.csproj

@@ -63,7 +63,7 @@
       <Version>2.7.0</Version>
     </PackageReference>
     <PackageReference Include="NLog">
-      <Version>4.7.5</Version>
+      <Version>4.7.6</Version>
     </PackageReference>
     <PackageReference Include="NUnit">
       <Version>3.12.0</Version>

evtx/ChunkInfo.cs

@@ -241,10 +241,10 @@ public ChunkInfo(byte[] chunkBytes, long absoluteOffset, int chunkNumber)
                             }
 
                         }
-                        catch (Exception e)
+                        catch (Exception )
                         {
                             //oh well, we tried
-                            //l.Warn($"Error when attemping to recover possible hidden record: {e.Message}");
+                            //l.Warn($"Error when attempting to recover possible hidden record: {e.Message}");
                         }
 
                     }

evtx/EventLog.cs

@@ -162,13 +162,13 @@ public static bool LoadMaps(string mapPath)
                             // {
                             //     
                             // }
-                            EventLogMaps.Add($"{eventMapFile.EventId}-{eventMapFile.Channel.ToUpperInvariant()}", eventMapFile);    
+                            EventLogMaps.Add($"{eventMapFile.EventId}-{eventMapFile.Channel.ToUpperInvariant()}-{eventMapFile.Provider.ToUpperInvariant()}", eventMapFile);    
 
                         }
                         else
                         {
                             l.Warn(
-                                $"A map for event id '{eventMapFile.EventId}' with Channel '{eventMapFile.Channel}' already exists. Map '{Path.GetFileName(mapFile)}' will be skipped");
+                                $"A map for event id '{eventMapFile.EventId}' with Channel '{eventMapFile.Channel}' and Provider '{eventMapFile.Provider}' already exists. Map '{Path.GetFileName(mapFile)}' will be skipped");
                         }
                     }
                     else

evtx/EventLogMap.cs

@@ -119,6 +119,8 @@ public EventLogMapValidator()
         {
             RuleFor(target => target.EventId).NotNull();
             RuleFor(target => target.Channel).NotEmpty();
+            RuleFor(target => target.Provider).NotEmpty();
+            
             RuleFor(target => target.Author).NotEmpty();
             RuleFor(target => target.Description).NotEmpty();
 

evtx/EventRecord.cs

@@ -293,28 +293,16 @@ public void BuildProperties()
                 return;
             }
 
-            if (!EventLog.EventLogMaps.ContainsKey($"{EventId}-{Channel.ToUpperInvariant()}"))
+            if (!EventLog.EventLogMaps.ContainsKey($"{EventId}-{Channel.ToUpperInvariant()}-{Provider.ToUpperInvariant()}"))
             {
                 return;
             }
 
             var docNav = new XPathDocument(new StringReader(xml));
             var nav = docNav.CreateNavigator();
 
-            l.Trace($"Found map for Event ID {EventId} with Channel '{Channel}'!");
-            var map = EventLog.EventLogMaps[$"{EventId}-{Channel.ToUpperInvariant()}"];
-
-            if (map.Provider.IsNullOrEmpty() == false)
-            {
-                l.Trace($"Map specifies a provider. Checking...");
-
-                if (!string.Equals(map.Provider, Provider, StringComparison.InvariantCultureIgnoreCase))
-                {
-                        
-                    l.Debug($"The Provider in the event log does not match the provider in the map. Map not applicable.");
-                    return;
-                }
-            }
+            l.Trace($"Found map for Event ID {EventId} with Channel '{Channel}' and Provider '{Provider}'!");
+            var map = EventLog.EventLogMaps[$"{EventId}-{Channel.ToUpperInvariant()}-{Provider.ToUpperInvariant()}"];
 
             MapDescription = map.Description;
 

evtx/Maps/Microsoft-DriverFrameworks-UserMode-Operational_Microsoft-DriverFrameworks-UserMode_2100.map

@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: Path of executed program
 EventId: 17
 Channel: "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
+Provider: "Microsoft-Windows-Program-Compatibility-Assistant"
 Maps:
   -
     Property: ExecutableInfo
@@ -36,4 +37,4 @@ Maps:
 #         <ResolverName>DetectorShim_Win32Exception</ResolverName> 
 #     </ResolverFiredEvent>
 #   </UserData>
-# </Event>
+# </Event>

evtx/Maps/Microsoft-Windows-Application-Experience_Program-Compatibility-Assistant_17.map

@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: USB Connection
 EventId: 2100
 Channel: "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
+Provider: "Microsoft-Windows-DriverFrameworks-UserMode"
 Maps:
   -
     Property: PayloadData1
@@ -55,4 +56,4 @@ Maps:
 # Windows Vista, 7 : enable (default)
 # Windows 8~ : disable (default)
 # https://nxlog.co/documentation/nxlog-user-guide/windows-usb-auditing.html
-# https://www.reddit.com/r/sysadmin/comments/4dr2t2/security_guy_wants_to_log_usb_storage_devices_on/
+# https://www.reddit.com/r/sysadmin/comments/4dr2t2/security_guy_wants_to_log_usb_storage_devices_on/

evtx/Maps/Microsoft-Windows-DriverFrameworks-UserMode_Operational_2100.map

@@ -21,24 +21,24 @@ Maps:
 # This map likely won't log any data in PayloadData1, but at least this map will provide the Map Description column with something. 
 #
 # Example Event Data:
-<Event>
-  <System>
-    <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc64rgd8-d6ef-4962-83d5-6e5wergce148}" />
-    <EventID>1100</EventID>
-    <Version>0</Version>
-    <Level>4</Level>
-    <Task>103</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x4020000340000000</Keywords>
-    <TimeCreated SystemTime="2020-10-07 02:38:05.9085508" />
-    <EventRecordID>266791475</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="679" ThreadID="1234" />
-    <Channel>Security</Channel>
-    <Computer>HOSTNAME</Computer>
-    <Security />
-  </System>
-  <UserData>
-    <ServiceShutdown></ServiceShutdown>
-  </UserData>
-</Event>
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc64rgd8-d6ef-4962-83d5-6e5wergce148}" />
+#    <EventID>1100</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>103</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x4020000340000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-07 02:38:05.9085508" />
+#    <EventRecordID>266791475</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="679" ThreadID="1234" />
+#    <Channel>Security</Channel>
+#    <Computer>HOSTNAME</Computer>
+#    <Security />
+#  </System>
+#  <UserData>
+#    <ServiceShutdown></ServiceShutdown>
+#  </UserData>
+#</Event>

evtx/Maps/Security_Microsoft-Windows-Eventlog_1100.map

@@ -16,7 +16,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
   - 
     Property: PayloadData1
-    PropertvenyValue: "Target: %TargetDomainName%\\%TargetUserName%"
+    PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
     Values: 
       - 
         Name: TargetDomainName
@@ -30,22 +30,22 @@ Maps:
 # This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized. It typically generates during operating system startup process.
 #
 # Example Et Data:
-<Event>
-  <System>
-    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54867925-5478-4994-a5ba-3e3b0328c30d" />
-    <EventID>4608</EventID>
-    <Version>0</Version>
-    <Level>0</Level>
-    <Task>12679</Task>
-    <Opcode>0</Opcode>
-    <Keywords>0x8020009000000000</Keywords>
-    <TimeCreated SystemTime="2020-10-09 18:09:40.2437686" />
-    <EventRecordID>266790034</EventRecordID>
-    <Correlation />
-    <Execution ProcessID="679" ThreadID="123" />
-    <Channel>Security</Channel>
-    <Computer>HOSTNAME.domain.com</Computer>
-    <Security />
-  </System>
-  <EventData></EventData>
-</Event>
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54867925-5478-4994-a5ba-3e3b0328c30d" />
+#    <EventID>4608</EventID>
+#    <Version>0</Version>
+#    <Level>0</Level>
+#    <Task>12679</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8020009000000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-09 18:09:40.2437686" />
+#    <EventRecordID>266790034</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="679" ThreadID="123" />
+#    <Channel>Security</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security />
+#  </System>
+#  <EventData></EventData>
+#</Event>