Merge pull request #196 from RandyRandleman/master

GPO

evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4004.map

@@ -0,0 +1,82 @@
+Author: Tony Knutson
+Description: Starting manual processing of policy for COMPUTER
+EventId: 4004
+Channel: Microsoft-Windows-GroupPolicy/Operational
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+  -
+    Property: UserName
+    PropertyValue: "%PrincipalSamName%"
+    Values:
+      -
+        Name: PrincipalSamName
+        Value: "/Event/EventData/Data[@Name=\"PrincipalSamName\"]"
+  -
+    Property: PayloadData1
+    PropertyValue: "DomainJoined: %IsDomainJoined%"
+    Values:
+      -
+        Name: IsDomainJoined
+        Value: "/Event/EventData/Data[@Name=\"IsDomainJoined\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "BackgroundProcessing: %IsBackgroundProcessing%"
+    Values:
+      -
+        Name: IsBackgroundProcessing
+        Value: "/Event/EventData/Data[@Name=\"IsBackgroundProcessing\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "AsyncProcessing: %IsAsyncProcessing%"
+    Values:
+      -
+        Name: IsAsyncProcessing
+        Value: "/Event/EventData/Data[@Name=\"IsAsyncProcessing\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "ServiceRestart: %IsServiceRestart%"
+    Values:
+      -
+        Name: IsServiceRestart
+        Value: "/Event/EventData/Data[@Name=\"IsServiceRestart\"]"
+  -
+    Property: PayloadData5
+    PropertyValue: "Reasonforsyncing: %ReasonForSyncProcessing%"
+    Values:
+      -
+        Name: ReasonForSyncProcessing
+        Value: "/Event/EventData/Data[@Name=\"ReasonForSyncProcessing\"]"
+
+# Documentation:
+# Starting manual processing of policy for computer {PrincipalSamName}. Activity id: {PolicyActivityId}
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+#  <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
+#  <EventID>4004</EventID>
+#  <Version>1</Version>
+#  <Level>4</Level>
+#  <Task>0</Task>
+#  <Opcode>1</Opcode>
+#  <Keywords>0x4000000000000000</Keywords>
+#  <TimeCreated SystemTime="2022-05-23T16:29:22.9386942Z" />
+#  <EventRecordID>512864</EventRecordID>
+#  <Correlation ActivityID="{41242399-fbd6-42f2-a8ce-48300011574d}" />
+#  <Execution ProcessID="8416" ThreadID="5124" />
+#  <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
+#  <Computer>COMPUTER</Computer>
+#  <Security UserID="S-1-5-18" />
+#  </System>
+# <EventData>
+#  <Data Name="PolicyActivityId">{41242399-fbd6-42f2-a8ce-48300011574d}</Data>
+#  <Data Name="PrincipalSamName">USERNAME</Data>
+#  <Data Name="IsMachine">1</Data>
+#  <Data Name="IsDomainJoined">true</Data>
+#  <Data Name="IsBackgroundProcessing">true</Data>
+#  <Data Name="IsAsyncProcessing">false</Data>
+#  <Data Name="IsServiceRestart">false</Data>
+#  <Data Name="ReasonForSyncProcessing">0</Data>
+#  </EventData>
+#  </Event>

evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4005.map

@@ -0,0 +1,82 @@
+Author: Tony Knutson
+Description: Starting manual processing of policy for USER
+EventId: 4005
+Channel: Microsoft-Windows-GroupPolicy/Operational
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+  -
+    Property: UserName
+    PropertyValue: "%PrincipalSamName%"
+    Values:
+      -
+        Name: PrincipalSamName
+        Value: "/Event/EventData/Data[@Name=\"PrincipalSamName\"]"
+  -
+    Property: PayloadData1
+    PropertyValue: "DomainJoined: %IsDomainJoined%"
+    Values:
+      -
+        Name: IsDomainJoined
+        Value: "/Event/EventData/Data[@Name=\"IsDomainJoined\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "BackgroundProcessing: %IsBackgroundProcessing%"
+    Values:
+      -
+        Name: IsBackgroundProcessing
+        Value: "/Event/EventData/Data[@Name=\"IsBackgroundProcessing\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "AsyncProcessing: %IsAsyncProcessing%"
+    Values:
+      -
+        Name: IsAsyncProcessing
+        Value: "/Event/EventData/Data[@Name=\"IsAsyncProcessing\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "ServiceRestart: %IsServiceRestart%"
+    Values:
+      -
+        Name: IsServiceRestart
+        Value: "/Event/EventData/Data[@Name=\"IsServiceRestart\"]"
+  -
+    Property: PayloadData5
+    PropertyValue: "Reasonforsyncing: %ReasonForSyncProcessing%"
+    Values:
+      -
+        Name: ReasonForSyncProcessing
+        Value: "/Event/EventData/Data[@Name=\"ReasonForSyncProcessing\"]"
+
+# Documentation:
+# Starting manual processing of policy for user {PrincipalSamName}. Activity id: {PolicyActivityId}
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+#  <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
+#  <EventID>4005</EventID>
+#  <Version>1</Version>
+#  <Level>4</Level>
+#  <Task>0</Task>
+#  <Opcode>1</Opcode>
+#  <Keywords>0x4000000000000000</Keywords>
+#  <TimeCreated SystemTime="2022-05-22T21:47:54.4303572Z" />
+#  <EventRecordID>511656</EventRecordID>
+#  <Correlation ActivityID="{384ca94a-510c-4ce3-b104-9ef593805492}" />
+#  <Execution ProcessID="8188" ThreadID="10916" />
+#  <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
+#  <Computer>COMPUTER NAME</Computer>
+#  <Security UserID="SID" />
+#  </System>
+# <EventData>
+#  <Data Name="PolicyActivityId">{384ca94a-510c-4ce3-b104-9ef593805492}</Data>
+#  <Data Name="PrincipalSamName">USERNAME</Data>
+#  <Data Name="IsMachine">0</Data>
+#  <Data Name="IsDomainJoined">false</Data>
+#  <Data Name="IsBackgroundProcessing">true</Data>
+#  <Data Name="IsAsyncProcessing">false</Data>
+#  <Data Name="IsServiceRestart">false</Data>
+#  <Data Name="ReasonForSyncProcessing">0</Data>
+#  </EventData>
+# </Event>

evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4016.map

@@ -0,0 +1,68 @@
+Author: Tony Knutson
+Description: List of applicable Group Policy objects
+EventId: 4016
+Channel: Microsoft-Windows-GroupPolicy/Operational
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+  -
+    Property: PayloadData1
+    PropertyValue: "GPO Title: %DescriptionString%"
+    Values:
+      -
+        Name: DescriptionString
+        Value: "/Event/EventData/Data[@Name=\"DescriptionString\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "GPO List: %ApplicableGPOList%"
+    Values:
+      -
+        Name: ApplicableGPOList
+        Value: "/Event/EventData/Data[@Name=\"ApplicableGPOList\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "GPOChange: %IsGPOListChanged%"
+    Values:
+      -
+        Name: IsGPOListChanged
+        Value: "/Event/EventData/Data[@Name=\"IsGPOListChanged\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "CSEExtensionName: %CSEExtensionName%"
+    Values:
+      -
+        Name: CSEExtensionName
+        Value: "/Event/EventData/Data[@Name=\"CSEExtensionName\"]"
+
+# Documentation:
+# Events 4016 and 5016 show the start and end of processing of groups of policies, including how long it took to apply each one in the end event.
+# https://itworldjd.wordpress.com/2014/03/10/gpo-troubleshooting-using-log-files-on-win7-and-win-2008-r2/
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+#  <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
+#  <EventID>4016</EventID>
+#  <Version>0</Version>
+#  <Level>4</Level>
+#  <Task>0</Task>
+#  <Opcode>1</Opcode>
+#  <Keywords>0x4000000000000000</Keywords>
+#  <TimeCreated SystemTime="2022-05-24T13:05:59.3535687Z" />
+#  <EventRecordID>515206</EventRecordID>
+#  <Correlation ActivityID="{a5fbeca3-6758-456e-9209-c120909df110}" />
+#  <Execution ProcessID="9748" ThreadID="11076" />
+#  <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
+#  <Computer>COMPUTER</Computer>
+#  <Security UserID="S-1-5-18" />
+#  </System>
+# <EventData>
+#  <Data Name="CSEExtensionId">{35378eac-683f-11d2-a89a-00c04fbbcfa2}</Data>
+#  <Data Name="CSEExtensionName">Registry</Data>
+#  <Data Name="IsExtensionAsyncProcessing">false</Data>
+#  <Data Name="IsGPOListChanged">true</Data>
+#  <Data Name="GPOListStatusString">%%4102</Data>
+#  <Data Name="DescriptionString">GPO TITLE</Data>
+#  <Data Name="ApplicableGPOList"><GPO ID=" LIST OF GPO’s>
+#  </EventData>
+#  </Event>

evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4017.map

@@ -0,0 +1,48 @@
+Author: Tony Knutson
+Description: Making LDAP calls to connect and bind to Active Directory
+EventId: 4017
+Channel: Microsoft-Windows-GroupPolicy/Operational
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+  -
+    Property: PayloadData1
+    PropertyValue: "Domain: %Parameter%"
+    Values:
+      -
+        Name: Parameter
+        Value: "/Event/EventData/Data[@Name=\"Parameter\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Description: %OperationDescription%"
+    Values:
+      -
+        Name: OperationDescription
+        Value: "/Event/EventData/Data[@Name=\"OperationDescription\"]"
+
+#Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_1501_Microsoft-Windows-GroupPolicy_62070.asp#:~:text=The%20Group%20Policy%20settings%20for,successful%20processing%20of%20Group%20Policy.
+#
+#Example Event Data:
+#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#- <System>
+#  <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
+#  <EventID>4017</EventID>
+#  <Version>0</Version>
+#  <Level>4</Level>
+#  <Task>0</Task>
+#  <Opcode>0</Opcode>
+#  <Keywords>0x4000000000000000</Keywords>
+#  <TimeCreated SystemTime="2022-05-24T00:34:22.9179272Z" />
+#  <EventRecordID>513752</EventRecordID>
+#  <Correlation ActivityID="{6d8cc6ce-e631-493b-a5d0-2905e6dad63c}" />
+#  <Execution ProcessID="7780" ThreadID="14132" />
+#  <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
+#  <Computer>COMPUTER NAME</Computer>
+#  <Security UserID="S-1-5-18" />
+#  </System>
+#- <EventData>
+#  <Data Name="OperationDescription">%%4119</Data>
+#  <Data Name="Parameter">DOMAIN</Data>
+#  </EventData>
+#  </Event>

evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5379.map

@@ -0,0 +1,79 @@
+Author: Tony Knutson
+Description: Credential Manager credentials were read
+EventId: 5379
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps:
+  -
+    Property: ExecutableInfo
+    PropertyValue: "%TargetName%"
+    Values:
+      -
+        Name: TargetName
+        Value: "/Event/EventData/Data[@Name=\"TargetName\"]"
+  -
+    Property: UserName
+    PropertyValue: "%SubjectUserName%"
+    Values:
+      -
+        Name: SubjectUserName
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+  -
+    Property: PayloadData1
+    PropertyValue: "SID: %SubjectUserSid%"
+    Values:
+      -
+        Name: SubjectUserSid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Domain: %SubjectDomainName%"
+    Values:
+      -
+        Name: SubjectDomainName
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "LogonID: %SubjectLogonId%"
+    Values:
+      -
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+
+
+#Documentation:
+#https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
+#https://www.socinvestigation.com/windows-event-id-5379-to-detect-malicious-password-protected-file-unlock/
+#
+#Example Event Data:
+#-<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# -<System>
+#  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
+#  <EventID>5379</EventID>
+#  <Version>0</Version>
+#  <Level>0</Level>
+#  <Task>13824</Task>
+#  <Opcode>0</Opcode>
+#  <Keywords>0x8020000000000000</Keywords>
+#  <TimeCreated SystemTime="YYYY-MM-DD hh:mm:ssZ" />
+#  <EventRecordID>772430</EventRecordID>
+#  <Correlation ActivityID="{f762f5b4-bee5-4faa-a9a9-fdaa6ea76589}" />
+#  <Execution ProcessID="788" ThreadID="828" />
+#  <Channel>Security</Channel>
+#  <Computer>COMPUTER NAME</Computer>
+#  <Security />
+# </System>
+#- <EventData>
+#  <Data Name="SubjectUserSid">SID</Data>
+#  <Data Name="SubjectUserName">Username</Data>
+#  <Data Name="SubjectDomainName">Domain</Data>
+#  <Data Name="SubjectLogonId">0x3e7</Data>
+#  <Data Name="TargetName">TARGET</Data>
+#  <Data Name="Type">0</Data>
+#  <Data Name="CountOfCredentialsReturned">0</Data>
+#  <Data Name="ReadOperation">%%8100</Data>
+#  <Data Name="ReturnCode">3221226021</Data>
+#  <Data Name="ProcessCreationTime">YYYY-MM-DD hh:mm:ssZ</Data>
+#  <Data Name="ClientProcessId">1448</Data>
+# </EventData>
+#</Event>