From 00d11cfb87eb207a9b78c84976abd85fcc2c9f6d Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Wed, 27 Oct 2021 07:33:03 -0400
Subject: [PATCH] Update Sysmon events with User fields

https://twitter.com/Cyb3rWard0g/status/1453123054243024897/photo/1
---
 ...Operational_Microsoft-Windows-Sysmon_1.map |  8 ++-
 ...perational_Microsoft-Windows-Sysmon_10.map | 10 +++
 ...perational_Microsoft-Windows-Sysmon_11.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_12.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_13.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_14.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_15.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_17.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_18.map |  7 ++
 ...Operational_Microsoft-Windows-Sysmon_2.map |  8 ++-
 ...perational_Microsoft-Windows-Sysmon_22.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_24.map |  7 ++
 ...perational_Microsoft-Windows-Sysmon_25.map |  7 ++
 ...Operational_Microsoft-Windows-Sysmon_5.map |  7 ++
 ...Operational_Microsoft-Windows-Sysmon_7.map |  7 ++
 ...Operational_Microsoft-Windows-Sysmon_8.map | 10 +++
 ...Operational_Microsoft-Windows-Sysmon_9.map |  7 ++
 .../Windows-PowerShell_PowerShell_800.map     | 68 +++++++++++++++++++
 18 files changed, 193 insertions(+), 2 deletions(-)
 create mode 100644 evtx/Maps/Windows-PowerShell_PowerShell_800.map

diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map
index 1f33dd92..47d3b8c4 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map
@@ -4,7 +4,13 @@ EventId: 1
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
-
+  -
+    Property: UserName
+    PropertyValue: "ParentUser: %ParentUser%"
+    Values:
+      -
+        Name: ParentUser
+        Value: "/Event/EventData/Data[@Name=\"ParentUser\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%CommandLine%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map
index 2bfeb241..cb90b66e 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map
@@ -4,6 +4,16 @@ EventId: 10
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "SourceUser: %SourceUser% | TargetUser: %TargetUser%"
+    Values:
+      -
+        Name: SourceUser
+        Value: "/Event/EventData/Data[@Name=\"SourceUser\"]"
+      -
+        Name: TargetUser
+        Value: "/Event/EventData/Data[@Name=\"TargetUser\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "CallTrace: %CallTrace%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map
index f1426eb4..19265432 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map
@@ -4,6 +4,13 @@ EventId: 11
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map
index 85dcea52..af0e4c89 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map
@@ -4,6 +4,13 @@ EventId: 12
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map
index 4c784b03..4aaed195 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map
@@ -4,6 +4,13 @@ EventId: 13
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map
index f65215b0..3d8f14d8 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map
@@ -4,6 +4,13 @@ EventId: 14
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map
index 5f83a25a..b673cabe 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map
@@ -4,6 +4,13 @@ EventId: 15
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map
index 8db63511..78de8344 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map
@@ -4,6 +4,13 @@ EventId: 17
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map
index 95714ae3..146063c4 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map
@@ -4,6 +4,13 @@ EventId: 18
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map
index 58ca1ed7..14e31ca5 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map
@@ -4,7 +4,13 @@ EventId: 2
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
-
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map
index f04c810b..a0dc15e9 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map
@@ -4,6 +4,13 @@ EventId: 22
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_24.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_24.map
index 31c202ca..aa06b80e 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_24.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_24.map
@@ -4,6 +4,13 @@ EventId: 24
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%Image%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_25.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_25.map
index 95662054..481be2ae 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_25.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_25.map
@@ -4,6 +4,13 @@ EventId: 25
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%Image%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map
index 7320703b..e33a3988 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map
@@ -4,6 +4,13 @@ EventId: 5
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%FilePath%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map
index 17915b78..f6ed25d0 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map
@@ -4,6 +4,13 @@ EventId: 7
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: ExecutableInfo
     PropertyValue: "%ImageLoaded%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map
index 85915ee4..7af6c9b1 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map
@@ -4,6 +4,16 @@ EventId: 8
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "SourceUser: %SourceUser% | TargetUser: %TargetUser%"
+    Values:
+      -
+        Name: SourceUser
+        Value: "/Event/EventData/Data[@Name=\"SourceUser\"]"
+      -
+        Name: TargetUser
+        Value: "/Event/EventData/Data[@Name=\"TargetUser\"]"
   -
     Property: PayloadData1
     PropertyValue: "StartAddress: %StartAddress%"
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map
index ad8062a7..78365279 100644
--- a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map
+++ b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map
@@ -4,6 +4,13 @@ EventId: 9
 Channel: Microsoft-Windows-Sysmon/Operational
 Provider: Microsoft-Windows-Sysmon
 Maps:
+  -
+    Property: UserName
+    PropertyValue: "%User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
   -
     Property: PayloadData1
     PropertyValue: "ProcessID: %ProcessID%, ProcessGUID: %ProcessGUID%"
diff --git a/evtx/Maps/Windows-PowerShell_PowerShell_800.map b/evtx/Maps/Windows-PowerShell_PowerShell_800.map
new file mode 100644
index 00000000..1ead884c
--- /dev/null
+++ b/evtx/Maps/Windows-PowerShell_PowerShell_800.map
@@ -0,0 +1,68 @@
+Author: Andrew Rathbun
+Description: Pipeline Execution Details
+EventId: 800
+Channel: Windows PowerShell
+Provider: PowerShell
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%HostApplication%"
+    Values:
+      -
+        Name: HostApplication
+        Value: "/Event/EventData/Data"
+        Refine: "HostApplication=(.+)"
+  -
+    Property: PayloadData2
+    PropertyValue: "%HostName%"
+    Values:
+      -
+        Name: HostName
+        Value: "/Event/EventData/Data"
+        Refine: "HostName=(.+)"
+  -
+    Property: PayloadData3
+    PropertyValue: "%HostVersion%"
+    Values:
+      -
+        Name: HostVersion
+        Value: "/Event/EventData/Data"
+        Refine: "HostVersion=(.+)"
+
+# Documentation:
+# https://www.myeventlog.com/search/show/975
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#  <System>
+#    <Provider Name="PowerShell" />
+#    <EventID Qualifiers="0">600</EventID>
+#    <Level>4</Level>
+#    <Task>6</Task>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2001-01-01T01:01:01.012345678Z" />
+#    <EventRecordID>18</EventRecordID>
+#    <Channel>Windows PowerShell</Channel>
+#    <Computer>name.domain.tld</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>Registry, Started, 	ProviderName=Registry
+# NewProviderState=Started
+#
+# SequenceNumber=1
+#
+# HostName=ConsoleHost
+# HostVersion=5.1.18362.145
+# HostId=b3dfcb89-d2f8-4b8b-a784-a6a9bcf61bd8
+# HostApplication=powershell  -command Set-ItemProperty -Path HKCU:\Software\Microsoft\Office\16.0\Outlook\AutoDiscover -Name 'ExcludeExplicitO365Endpoint' -Value 1 -Type DWORD -Force
+# EngineVersion=
+# RunspaceId=
+# PipelineId=
+# CommandName=
+# CommandType=
+# ScriptName=
+# CommandPath=
+# CommandLine=</Data>
+# </EventData>
+# </Event>