diff --git a/evtx/Maps/Security_1100.map b/evtx/Maps/Security_1100.map new file mode 100644 index 00000000..291112a7 --- /dev/null +++ b/evtx/Maps/Security_1100.map @@ -0,0 +1,18 @@ +Author: Andrew Rathbun +Description: The event logging service has shut down +EventId: 1100 +Channel: Security +Provider: "Microsoft-Windows-Eventlog" +Maps: + - + Property: PayloadData1 + PropertyValue: "%ServiceShutdown%" + Values: + - + Name: ServiceShutdown + Value: "/Event/UserData[@Name=\"ServiceShutdown\"]" + +# Please note, Event Log 4609 (Computer is shutting down) doesn't get logged anymore due to this service being shut down first. +# Therefore, 4609 never gets a chance to get logged. This log is effectively your time of computer shutdown, as a result. +# This map likely won't log any data in PayloadData1, but at least this map will provide the Map Description column with something. +# Source of the above information: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4609 and https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1100 diff --git a/evtx/Maps/Security_4608.map b/evtx/Maps/Security_4608.map new file mode 100644 index 00000000..3afa3bdb --- /dev/null +++ b/evtx/Maps/Security_4608.map @@ -0,0 +1,29 @@ +Author: Andrew Rathbun +Description: Windows is starting up +EventId: 4608 +Channel: Security +Provider: "Microsoft-Windows-Security-Auditing" +Maps: + - + Property: Username + PropertyValue: "%domain%\\%user%" + Values: + - + Name: domain + Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]" + - + Name: user + Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]" + - + Property: PayloadData1 + PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%" + Values: + - + Name: TargetDomainName + Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]" + - + Name: TargetUserName + Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]" + +# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608 +# This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized. It typically generates during operating system startup process. diff --git a/evtx/Maps/Security_4700.map b/evtx/Maps/Security_4700.map new file mode 100644 index 00000000..045369b5 --- /dev/null +++ b/evtx/Maps/Security_4700.map @@ -0,0 +1,37 @@ +Author: Andrew Rathbun +Description: A scheduled task was enabled +EventId: 4700 +Channel: Security +Maps: + - + Property: UserName + PropertyValue: "%domain%\\%user%" + Values: + - + Name: domain + Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]" + - + Name: user + Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]" + - + Property: PayloadData1 + PropertyValue: "TaskName: %TaskName%" + Values: + - + Name: TaskName + Value: "/Event/EventData/Data[@Name=\"TaskName\"]" + - + Property: PayloadData2 + PropertyValue: "TaskContent: %TaskContent%" + Values: + - + Name: TaskContent + Value: "/Event/EventData/Data[@Name=\"TaskContent\"]" + - + Property: PayloadData3 + PropertyValue: "SubjectUserSid: %SubjectUserSid%" + Values: + - + Name: SubjectUserSid + Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]" + diff --git a/evtx/Maps/Security_4701.map b/evtx/Maps/Security_4701.map index ca9831ef..77ff38c1 100644 --- a/evtx/Maps/Security_4701.map +++ b/evtx/Maps/Security_4701.map @@ -20,5 +20,3 @@ Maps: - Name: Value: "/Event/EventData/Data[@Name=\"\"]" - -# Valid properties include: diff --git a/evtx/Maps/Security_4740.map b/evtx/Maps/Security_4740.map new file mode 100644 index 00000000..148bf8e3 --- /dev/null +++ b/evtx/Maps/Security_4740.map @@ -0,0 +1,74 @@ +Author: Andrew Rathbun +Description: A user account was locked out +EventId: 4740 +Channel: Security +Maps: + - + Property: UserName + PropertyValue: "%domain%\\%user% (%sid%)" + Values: + - + Name: domain + Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]" + - + Name: user + Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]" + - + Name: sid + Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]" + - + Property: PayloadData1 + PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)" + Values: + - + Name: TargetUserName + Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]" + - + Name: TargetDomainName + Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]" + - + Name: TargetSid + Value: "/Event/EventData/Data[@Name=\"TargetSid\"]" + - + Property: PayloadData2 + PropertyValue: "SubjectLogonId: %SubjectLogonId%" + Values: + - + Name: SubjectLogonId + Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]" + +# Valid properties include: +# UserName +# RemoteHost +# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc. +# PayloadData1 through PayloadData6 + +# Example payload data +# +# defaultuser1 +# MICROSO-F9QCQ4I +# S-1-5-21-3634127885-2815721165-4177678784-1004 +# S-1-5-18 +# MICROSO-F9QCQ4I$ +# TEMP +# 0x3E7 +# - +# defaultuser1 +# %%1793 +# - +# %%1793 +# %%1793 +# %%1793 +# %%1793 +# %%1793 +# %%1794 +# %%1794 +# 513 +# - +# 0x0 +# 0x15 +# %%2080%%2082%%2084 +# %%1793 +# - +# %%1797 +#