Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Guide/Template with XPATH documentation, examples, etc #117

Merged
merged 3 commits into from
Mar 6, 2021
Merged

Update Guide/Template with XPATH documentation, examples, etc #117

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b0dd750
Merge pull request #23 from EricZimmerman/master
AndrewRathbun Mar 6, 2021
8875fa8
Update template with XPATH examples
AndrewRathbun Mar 6, 2021
c899f1b
Update guide with XPATH examples, documentation, etc
AndrewRathbun Mar 6, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions evtx/Maps/!Channel-Name_Provider-Name_EventID.guide
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Provider: Provider goes here
# If your map calls for multiple lookup tables, please nest all lookups underneath a single "Lookups: " instance. For good examples of this, check out Security 4769 and 4771.
# No empty space between "Provider:" and "Maps:", please.
# After your last # line at the bottom of the map, hit Enter so there's a blank line underneath your last line of map content.
# If you're struggling with getting hits when you're making maps, read this awesome guide on XPATH: https://www.altova.com/training/xpath3
Maps:
-
Property: UserName # UserName --> if at all possible, try to include DOMAIN\username if that information is recorded in the event.
Expand All @@ -27,11 +28,14 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Property: RemoteHost # RemoteHost --> used for IP addresses, hostname, or anything else that could identify a remote host within an event.
PropertyValue: "%Address%"
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: Address
Value: "/Event/UserData/EventXML/Address"
Name: TargetUserName
Value: "/Event/EventData/Data[2]" # this is another way you can hit a certain node within the XML below. TargetUserName is the second node, hence the [2]
-
Name: TargetDomainName
Value: "/Event/EventData/Data[3]" @ same as above, but it's the 3rd node, hence the [3]
-
Property: ExecutableInfo # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
PropertyValue: "%ProcessName%"
Expand Down
11 changes: 7 additions & 4 deletions evtx/Maps/!Channel-Name_Provider-Name_EventID.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,14 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Property: RemoteHost
PropertyValue: "%Address%"
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: Address
Value: "/Event/UserData/EventXML/Address"
Name: TargetUserName
Value: "/Event/EventData/Data[2]"
-
Name: TargetDomainName
Value: "/Event/EventData/Data[3]"
-
Property: ExecutableInfo
PropertyValue: "%ProcessName%"
Expand Down Expand Up @@ -95,7 +98,7 @@ Lookups:
6: Timer (See WakeSourceText for details)

# Documentation:
#
# N/A if no link(s) can be found. One link per line, please.
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
Expand Down