Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New maps, various fixes #44

Merged
merged 5 commits into from
Dec 6, 2020
Merged

New maps, various fixes #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7e02ad6
Create Security_4740.map
AndrewRathbun Dec 5, 2020
cbb744d
New maps
AndrewRathbun Dec 6, 2020
6112986
Update Security_1100.map
AndrewRathbun Dec 6, 2020
0fa8c19
Update Security_1100.map
AndrewRathbun Dec 6, 2020
0f2b937
Update Security_4740.map
AndrewRathbun Dec 6, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions evtx/Maps/Security_1100.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Author: Andrew Rathbun
Description: The event logging service has shut down
EventId: 1100
Channel: Security
Provider: "Microsoft-Windows-Eventlog"
Maps:
-
Property: PayloadData1
PropertyValue: "%ServiceShutdown%"
Values:
-
Name: ServiceShutdown
Value: "/Event/UserData[@Name=\"ServiceShutdown\"]"

# Please note, Event Log 4609 (Computer is shutting down) doesn't get logged anymore due to this service being shut down first.
# Therefore, 4609 never gets a chance to get logged. This log is effectively your time of computer shutdown, as a result.
# This map likely won't log any data in PayloadData1, but at least this map will provide the Map Description column with something.
# Source of the above information: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4609 and https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1100
29 changes: 29 additions & 0 deletions evtx/Maps/Security_4608.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
Author: Andrew Rathbun
Description: Windows is starting up
EventId: 4608
Channel: Security
Provider: "Microsoft-Windows-Security-Auditing"
Maps:
-
Property: Username
PropertyValue: "%domain%\\%user%"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Property: PayloadData1
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"

# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608
# This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized. It typically generates during operating system startup process.
37 changes: 37 additions & 0 deletions evtx/Maps/Security_4700.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
Author: Andrew Rathbun
Description: A scheduled task was enabled
EventId: 4700
Channel: Security
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user%"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Property: PayloadData1
PropertyValue: "TaskName: %TaskName%"
Values:
-
Name: TaskName
Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
-
Property: PayloadData2
PropertyValue: "TaskContent: %TaskContent%"
Values:
-
Name: TaskContent
Value: "/Event/EventData/Data[@Name=\"TaskContent\"]"
-
Property: PayloadData3
PropertyValue: "SubjectUserSid: %SubjectUserSid%"
Values:
-
Name: SubjectUserSid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"

2 changes: 0 additions & 2 deletions evtx/Maps/Security_4701.map
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,3 @@ Maps:
-
Name: <name>
Value: "/Event/EventData/Data[@Name=\"<name>\"]"

# Valid properties include:
74 changes: 74 additions & 0 deletions evtx/Maps/Security_4740.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
Author: Andrew Rathbun
Description: A user account was locked out
EventId: 4740
Channel: Security
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user% (%sid%)"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Name: sid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData1
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)"
Values:
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetSid
Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
-
Property: PayloadData2
PropertyValue: "SubjectLogonId: %SubjectLogonId%"
Values:
-
Name: SubjectLogonId
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"

# Valid properties include:
# UserName
# RemoteHost
# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
# PayloadData1 through PayloadData6

# Example payload data
# <EventData>
# <Data Name="TargetUserName">defaultuser1</Data>
# <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
# <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
# <Data Name="SubjectUserSid">S-1-5-18</Data>
# <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
# <Data Name="SubjectDomainName">TEMP</Data>
# <Data Name="SubjectLogonId">0x3E7</Data>
# <Data Name="PrivilegeList">-</Data>
# <Data Name="SamAccountName">defaultuser1</Data>
# <Data Name="DisplayName">%%1793</Data>
# <Data Name="UserPrincipalName">-</Data>
# <Data Name="HomeDirectory">%%1793</Data>
# <Data Name="HomePath">%%1793</Data>
# <Data Name="ScriptPath">%%1793</Data>
# <Data Name="ProfilePath">%%1793</Data>
# <Data Name="UserWorkstations">%%1793</Data>
# <Data Name="PasswordLastSet">%%1794</Data>
# <Data Name="AccountExpires">%%1794</Data>
# <Data Name="PrimaryGroupId">513</Data>
# <Data Name="AllowedToDelegateTo">-</Data>
# <Data Name="OldUacValue">0x0</Data>
# <Data Name="NewUacValue">0x15</Data>
# <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
# <Data Name="UserParameters">%%1793</Data>
# <Data Name="SidHistory">-</Data>
# <Data Name="LogonHours">%%1797</Data>
# </EventData>