EricZimmerman · AndrewRathbun · Dec 6, 2021 · Dec 6, 2021 · Dec 6, 2021 · Dec 6, 2021
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5152.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5152.map
@@ -0,0 +1,142 @@
+Author: Jason Ballard
+Description: The Windows Filtering Platform has blocked a packet
+EventId: 5152
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps:
+  -
+    Property: ExecutableInfo
+    PropertyValue: "%Application%"
+    Values:
+      -
+        Name: Application
+        Value: "/Event/EventData/Data[@Name=\"Application\"]"
+  -
+    Property: PayloadData1
+    PropertyValue: "Source: %SourceAddress%:%SourcePort%"
+    Values:
+      -
+        Name: SourceAddress
+        Value: "/Event/EventData/Data[@Name=\"SourceAddress\"]"
+      -
+        Name: SourcePort
+        Value: "/Event/EventData/Data[@Name=\"SourcePort\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Dest: %DestAddress%:%DestPort%"
+    Values:
+      -
+        Name: DestAddress
+        Value: "/Event/EventData/Data[@Name=\"DestAddress\"]"
+      -
+        Name: DestPort
+        Value: "/Event/EventData/Data[@Name=\"DestPort\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "Protocol: %Protocol%"
+    Values:
+      -
+        Name: Protocol
+        Value: "/Event/EventData/Data[@Name=\"Protocol\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "PID: %ProcessID%"
+    Values:
+      -
+        Name: ProcessID
+        Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
+  -
+    Property: PayloadData5
+    PropertyValue: "Direction: %Direction%"
+    Values:
+      -
+        Name: Direction
+        Value: "/Event/EventData/Data[@Name=\"Direction\"]"
+        Refine: "%%(.{5})"
+  -
+    Property: PayloadData6
+    PropertyValue: "LayerName: %LayerName%"
+    Values:
+      -
+        Name: LayerName
+        Value: "/Event/EventData/Data[@Name=\"LayerName\"]"
+        Refine: "%%(.{5})"
+Lookups:
+  -
+    Name: Protocol
+    Default: Unknown code
+    Values:
+      1: Internet Control Message Protocol (ICMP)
+      6: Transmission Control Protocol (TCP)
+      17: User Datagram Protocol (UDP)
+      3: Gateway-Gateway Protocol (GGP)
+      8: Exterior Gateway Protocol (EGP)
+      12: PARC Universal Packet Protocol (PUP)
+      20: Host Monitoring Protocol (HMP)
+      27: Reliable Datagram Protocol (RDP)
+      46: Reservation Protocol (RSVP) QoS
+      47: General Routing Encapsulation (PPTP data over GRE)
+      51: Authentication Header (AH) IPSec
+      50: Encapsulation Security Payload (ESP) IPSec
+      66: MIT Remote Virtual Disk (RVD)
+      88: Internet Group Management Protocol (IGMP)
+      89: OSPF Open Shortest Path First
+  -
+    Name: Direction
+    Default: Unknown code
+    Values:
+      "%%14593": Outbound
+      "%%14592": Inbound
+  -
+    Name: LayerName
+    Default: Unknown code
+    Values:
+      "%%14597": Transport
+      "%%14601": ICMP Error
+      "%%14608": Resource Assignment
+      "%%14609": Listen
+      "%%14610": Receive/Accept
+      "%%14611": Connect
+
+# Documentation:
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5152
+#
+# This event logs all the particulars about a blocked packet including the filter that caused the block.
+# Application Information:
+# Process ID:  process ID specified when the executable started as logged in 4688
+# Application Name: the program executable on this computer's side of the packet transmission
+# Process ID can be correlated with 4688 Events
+#
+# - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# - <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
+# <EventID>5152</EventID>
+# <Version>0</Version>
+# <Level>0</Level>
+# <Task>12809</Task>
+# <Opcode>0</Opcode>
+# <Keywords>0x8010000000000000</Keywords>
+# <TimeCreated SystemTime="2015-09-22T16:52:37.274367300Z" />
+# <EventRecordID>321323</EventRecordID>
+# <Correlation />
+# <Execution ProcessID="4" ThreadID="4456" />
+# <Channel>Security</Channel>
+# <Computer>DC01.contoso.local</Computer>
+# <Security />
+# </System>
+# - <EventData>
+# <Data Name="ProcessId">4556</Data>
+# <Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
+# <Data Name="Direction">%%14592</Data>
+# <Data Name="SourceAddress">10.0.0.100</Data>
+# <Data Name="SourcePort">49278</Data>
+# <Data Name="DestAddress">10.0.0.10</Data>
+# <Data Name="DestPort">3333</Data>
+# <Data Name="Protocol">6</Data>
+# <Data Name="FilterRTID">0</Data>
+# <Data Name="LayerName">%%14610</Data>
+# <Data Name="LayerRTID">44</Data>
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5154.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5154.map
@@ -0,0 +1,110 @@
+Author: Jason Ballard
+Description: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
+EventId: 5154
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps:
+  -
+    Property: ExecutableInfo
+    PropertyValue: "%Application%"
+    Values:
+      -
+        Name: Application
+        Value: "/Event/EventData/Data[@Name=\"Application\"]"
+  -
+    Property: PayloadData1
+    PropertyValue: "Source: %SourceAddress%:%SourcePort%"
+    Values:
+      -
+        Name: SourceAddress
+        Value: "/Event/EventData/Data[@Name=\"SourceAddress\"]"
+      -
+        Name: SourcePort
+        Value: "/Event/EventData/Data[@Name=\"SourcePort\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Protocol: %Protocol%"
+    Values:
+      -
+        Name: Protocol
+        Value: "/Event/EventData/Data[@Name=\"Protocol\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "PID: %ProcessId%"
+    Values:
+      -
+        Name: ProcessId
+        Value: "/Event/EventData/Data[@Name=\"ProcessId\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "LayerName: %LayerName%"
+    Values:
+      -
+        Name: LayerName
+        Value: "/Event/EventData/Data[@Name=\"LayerName\"]"
+        Refine: "%%(.{5})"
+Lookups:
+  -
+    Name: Protocol
+    Default: Unknown code
+    Values:
+      1: Internet Control Message Protocol (ICMP)
+      6: Transmission Control Protocol (TCP)
+      17: User Datagram Protocol (UDP)
+      47: General Routing Encapsulation (PPTP data over GRE)
+      51: Authentication Header (AH) IPSec
+      50: Encapsulation Security Payload (ESP) IPSec
+      8: Exterior Gateway Protocol (EGP)
+      3: Gateway-Gateway Protocol (GGP)
+      20: Host Monitoring Protocol (HMP)
+      88: Internet Group Management Protocol (IGMP)
+      66: MIT Remote Virtual Disk (RVD)
+      89: OSPF Open Shortest Path First
+      12: PARC Universal Packet Protocol (PUP)
+      27: Reliable Datagram Protocol (RDP)
+      46: Reservation Protocol (RSVP) QoS
+  -
+    Name: LayerName
+    Default: Unknown code
+    Values:
+      "%%14597": Transport
+      "%%14601": ICMP Error
+      "%%14608": Resource Assignment
+      "%%14609": Listen
+      "%%14610": Receive/Accept
+      "%%14611": Connect
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5154
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154
+#
+# This event documents each time WFP allows a program to begin listening on a TCP or UDP port for incoming connections and documents the program, port and filter that allowed it.
+#
+# <Event>
+# <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-a5ba-3e3b0328c30d" />
+# <EventID>5154</EventID>
+# <Version>0</Version>
+# <Level>0</Level>
+# <Task>12810</Task>
+# <Opcode>0</Opcode>
+# <Keywords>0x8020000000000000</Keywords>
+# <TimeCreated SystemTime="2021-12-06 07:35:44.3515332" />
+# <EventRecordID>173889</EventRecordID>
+# <Correlation />
+# <Execution ProcessID="4" ThreadID="10016" />
+# <Channel>Security</Channel>
+# <Computer>1337-H4x0r</Computer>
+# <Security />
+# </System>
+# <EventData>
+# <Data Name="ProcessId">728</Data>
+# <Data Name="Application">\device\harddiskvolume3\windows\system32\services.exe</Data>
+# <Data Name="SourceAddress">::</Data>
+# <Data Name="SourcePort">49669</Data>
+# <Data Name="Protocol">6</Data>
+# <Data Name="FilterRTID">0</Data>
+# <Data Name="LayerName">%%14609</Data>
+# <Data Name="LayerRTID">42</Data>
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5156.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5156.map
@@ -45,7 +45,22 @@ Maps:
       -
         Name: ProcessID
         Value: "/Event/EventData/Data[@Name=\"ProcessID\"]"
-
+  -
+    Property: PayloadData5
+    PropertyValue: "Direction: %Direction%"
+    Values:
+      -
+        Name: Direction
+        Value: "/Event/EventData/Data[@Name=\"Direction\"]"
+        Refine: "%%(.{5})"
+  -
+    Property: PayloadData6
+    PropertyValue: "LayerName: %LayerName%"
+    Values:
+      -
+        Name: LayerName
+        Value: "/Event/EventData/Data[@Name=\"LayerName\"]"
+        Refine: "%%(.{5})"
 Lookups:
   -
     Name: Protocol
@@ -66,42 +81,58 @@ Lookups:
       12: PARC Universal Packet Protocol (PUP)
       27: Reliable Datagram Protocol (RDP)
       46: Reservation Protocol (RSVP) QoS
+  -
+    Name: Direction
+    Default: Unknown code
+    Values:
+      "%%14593": Outbound
+      "%%14592": Inbound
+  -
+    Name: LayerName
+    Default: Unknown code
+    Values:
+      "%%14597": Transport
+      "%%14601": ICMP Error
+      "%%14608": Resource Assignment
+      "%%14609": Listen
+      "%%14610": Receive/Accept
+      "%%14611": Connect
 
 # Documentation:
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5156
 # https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
 #
 # Example Event Data:
 # <Event>
-#  <System>
-#    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-a5ba-3e3b0328c30d" />
-#    <EventID>5156</EventID>
-#    <Version>1</Version>
-#    <Level>0</Level>
-#    <Task>12810</Task>
-#    <Opcode>0</Opcode>
-#    <Keywords>0x8020000000000000</Keywords>
-#    <TimeCreated SystemTime="2019-03-19 23:35:08.7860165" />
-#    <EventRecordID>452812</EventRecordID>
-#    <Correlation />
-#    <Execution ProcessID="4" ThreadID="60" />
-#    <Channel>Security</Channel>
-#    <Computer>PC01.example.corp</Computer>
-#    <Security />
-#  </System>
-#  <EventData>
-#    <Data Name="ProcessID">812</Data>
-#    <Data Name="Application">\device\harddiskvolume1\windows\system32\svchost.exe</Data>
-#    <Data Name="Direction">%%14593</Data>
-#    <Data Name="SourceAddress">fe80::80ac:4126:fa58:1b81</Data>
-#    <Data Name="SourcePort">546</Data>
-#    <Data Name="DestAddress">ff02::1:2</Data>
-#    <Data Name="DestPort">547</Data>
-#    <Data Name="Protocol">17</Data>
-#    <Data Name="FilterRTID">65853</Data>
-#    <Data Name="LayerName">%%14611</Data>
-#    <Data Name="LayerRTID">50</Data>
-#    <Data Name="RemoteUserID">S-1-0-0</Data>
-#    <Data Name="RemoteMachineID">S-1-0-0</Data>
-#  </EventData>
+# <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-a5ba-3e3b0328c30d" />
+# <EventID>5156</EventID>
+# <Version>1</Version>
+# <Level>0</Level>
+# <Task>12810</Task>
+# <Opcode>0</Opcode>
+# <Keywords>0x8020000000000000</Keywords>
+# <TimeCreated SystemTime="2019-03-19 23:35:08.7860165" />
+# <EventRecordID>452812</EventRecordID>
+# <Correlation />
+# <Execution ProcessID="4" ThreadID="60" />
+# <Channel>Security</Channel>
+# <Computer>PC01.example.corp</Computer>
+# <Security />
+# </System>
+# <EventData>
+# <Data Name="ProcessID">812</Data>
+# <Data Name="Application">\device\harddiskvolume1\windows\system32\svchost.exe</Data>
+# <Data Name="Direction">%%14593</Data>
+# <Data Name="SourceAddress">fe80::80ac:4126:fa58:1b81</Data>
+# <Data Name="SourcePort">546</Data>
+# <Data Name="DestAddress">ff02::1:2</Data>
+# <Data Name="DestPort">547</Data>
+# <Data Name="Protocol">17</Data>
+# <Data Name="FilterRTID">65853</Data>
+# <Data Name="LayerName">%%14611</Data>
+# <Data Name="LayerRTID">50</Data>
+# <Data Name="RemoteUserID">S-1-0-0</Data>
+# <Data Name="RemoteMachineID">S-1-0-0</Data>
+# </EventData>
 # </Event>