Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GPO #196

Merged
merged 10 commits into from
Jun 23, 2022
Merged

GPO #196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
4a9db8b
Group Policy
RandyRandleman Jun 22, 2022
443111c
added return line
RandyRandleman Jun 22, 2022
6cecaec
Update System_Microsoft-GroupPolicy_1129.map
RandyRandleman Jun 23, 2022
48d2170
Update Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-G…
AndrewRathbun Jun 23, 2022
8d2da0b
Update Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-G…
AndrewRathbun Jun 23, 2022
1140b4d
Update Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-G…
AndrewRathbun Jun 23, 2022
a2d23c3
Update Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-G…
AndrewRathbun Jun 23, 2022
8e83599
Update System_Microsoft-Windows-GroupPolicy_1501.map
AndrewRathbun Jun 23, 2022
1a53a4b
Update System_Microsoft-Windows-GroupPolicy_1500.map
AndrewRathbun Jun 23, 2022
4b6ae3d
Update System_Microsoft-GroupPolicy_1129.map
AndrewRathbun Jun 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4004.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
Author: Tony Knutson
Description: Starting manual processing of policy for COMPUTER
EventId: 4004
Channel: Microsoft-Windows-GroupPolicy/Operational
Provider: Microsoft-Windows-GroupPolicy
Maps:

-
Property: UserName
PropertyValue: "%PrincipalSamName%"
Values:
-
Name: PrincipalSamName
Value: "/Event/EventData/Data[@Name=\"PrincipalSamName\"]"
-
Property: PayloadData1
PropertyValue: "DomainJoined: %IsDomainJoined%"
Values:
-
Name: IsDomainJoined
Value: "/Event/EventData/Data[@Name=\"IsDomainJoined\"]"
-
Property: PayloadData2
PropertyValue: "BackgroundProcessing: %IsBackgroundProcessing%"
Values:
-
Name: IsBackgroundProcessing
Value: "/Event/EventData/Data[@Name=\"IsBackgroundProcessing\"]"
-
Property: PayloadData3
PropertyValue: "AsyncProcessing: %IsAsyncProcessing%"
Values:
-
Name: IsAsyncProcessing
Value: "/Event/EventData/Data[@Name=\"IsAsyncProcessing\"]"
-
Property: PayloadData4
PropertyValue: "ServiceRestart: %IsServiceRestart%"
Values:
-
Name: IsServiceRestart
Value: "/Event/EventData/Data[@Name=\"IsServiceRestart\"]"
-
Property: PayloadData5
PropertyValue: "Reasonforsyncing: %ReasonForSyncProcessing%"
Values:
-
Name: ReasonForSyncProcessing
Value: "/Event/EventData/Data[@Name=\"ReasonForSyncProcessing\"]"

# Documentation:
# Starting manual processing of policy for computer {PrincipalSamName}. Activity id: {PolicyActivityId}
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
# <EventID>4004</EventID>
# <Version>1</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>1</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2022-05-23T16:29:22.9386942Z" />
# <EventRecordID>512864</EventRecordID>
# <Correlation ActivityID="{41242399-fbd6-42f2-a8ce-48300011574d}" />
# <Execution ProcessID="8416" ThreadID="5124" />
# <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
# <Computer>COMPUTER</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <EventData>
# <Data Name="PolicyActivityId">{41242399-fbd6-42f2-a8ce-48300011574d}</Data>
# <Data Name="PrincipalSamName">USERNAME</Data>
# <Data Name="IsMachine">1</Data>
# <Data Name="IsDomainJoined">true</Data>
# <Data Name="IsBackgroundProcessing">true</Data>
# <Data Name="IsAsyncProcessing">false</Data>
# <Data Name="IsServiceRestart">false</Data>
# <Data Name="ReasonForSyncProcessing">0</Data>
# </EventData>
# </Event>
82 changes: 82 additions & 0 deletions evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4005.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
Author: Tony Knutson
Description: Starting manual processing of policy for USER
EventId: 4005
Channel: Microsoft-Windows-GroupPolicy/Operational
Provider: Microsoft-Windows-GroupPolicy
Maps:

-
Property: UserName
PropertyValue: "%PrincipalSamName%"
Values:
-
Name: PrincipalSamName
Value: "/Event/EventData/Data[@Name=\"PrincipalSamName\"]"
-
Property: PayloadData1
PropertyValue: "DomainJoined: %IsDomainJoined%"
Values:
-
Name: IsDomainJoined
Value: "/Event/EventData/Data[@Name=\"IsDomainJoined\"]"
-
Property: PayloadData2
PropertyValue: "BackgroundProcessing: %IsBackgroundProcessing%"
Values:
-
Name: IsBackgroundProcessing
Value: "/Event/EventData/Data[@Name=\"IsBackgroundProcessing\"]"
-
Property: PayloadData3
PropertyValue: "AsyncProcessing: %IsAsyncProcessing%"
Values:
-
Name: IsAsyncProcessing
Value: "/Event/EventData/Data[@Name=\"IsAsyncProcessing\"]"
-
Property: PayloadData4
PropertyValue: "ServiceRestart: %IsServiceRestart%"
Values:
-
Name: IsServiceRestart
Value: "/Event/EventData/Data[@Name=\"IsServiceRestart\"]"
-
Property: PayloadData5
PropertyValue: "Reasonforsyncing: %ReasonForSyncProcessing%"
Values:
-
Name: ReasonForSyncProcessing
Value: "/Event/EventData/Data[@Name=\"ReasonForSyncProcessing\"]"

# Documentation:
# Starting manual processing of policy for user {PrincipalSamName}. Activity id: {PolicyActivityId}
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
# <EventID>4005</EventID>
# <Version>1</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>1</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2022-05-22T21:47:54.4303572Z" />
# <EventRecordID>511656</EventRecordID>
# <Correlation ActivityID="{384ca94a-510c-4ce3-b104-9ef593805492}" />
# <Execution ProcessID="8188" ThreadID="10916" />
# <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
# <Computer>COMPUTER NAME</Computer>
# <Security UserID="SID" />
# </System>
# <EventData>
# <Data Name="PolicyActivityId">{384ca94a-510c-4ce3-b104-9ef593805492}</Data>
# <Data Name="PrincipalSamName">USERNAME</Data>
# <Data Name="IsMachine">0</Data>
# <Data Name="IsDomainJoined">false</Data>
# <Data Name="IsBackgroundProcessing">true</Data>
# <Data Name="IsAsyncProcessing">false</Data>
# <Data Name="IsServiceRestart">false</Data>
# <Data Name="ReasonForSyncProcessing">0</Data>
# </EventData>
# </Event>
68 changes: 68 additions & 0 deletions evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4016.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
Author: Tony Knutson
Description: List of applicable Group Policy objects
EventId: 4016
Channel: Microsoft-Windows-GroupPolicy/Operational
Provider: Microsoft-Windows-GroupPolicy
Maps:

-
Property: PayloadData1
PropertyValue: "GPO Title: %DescriptionString%"
Values:
-
Name: DescriptionString
Value: "/Event/EventData/Data[@Name=\"DescriptionString\"]"
-
Property: PayloadData2
PropertyValue: "GPO List: %ApplicableGPOList%"
Values:
-
Name: ApplicableGPOList
Value: "/Event/EventData/Data[@Name=\"ApplicableGPOList\"]"
-
Property: PayloadData3
PropertyValue: "GPOChange: %IsGPOListChanged%"
Values:
-
Name: IsGPOListChanged
Value: "/Event/EventData/Data[@Name=\"IsGPOListChanged\"]"
-
Property: PayloadData4
PropertyValue: "CSEExtensionName: %CSEExtensionName%"
Values:
-
Name: CSEExtensionName
Value: "/Event/EventData/Data[@Name=\"CSEExtensionName\"]"

# Documentation:
# Events 4016 and 5016 show the start and end of processing of groups of policies, including how long it took to apply each one in the end event.
# https://itworldjd.wordpress.com/2014/03/10/gpo-troubleshooting-using-log-files-on-win7-and-win-2008-r2/
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
# <EventID>4016</EventID>
# <Version>0</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>1</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2022-05-24T13:05:59.3535687Z" />
# <EventRecordID>515206</EventRecordID>
# <Correlation ActivityID="{a5fbeca3-6758-456e-9209-c120909df110}" />
# <Execution ProcessID="9748" ThreadID="11076" />
# <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
# <Computer>COMPUTER</Computer>
# <Security UserID="S-1-5-18" />
# </System>
# <EventData>
# <Data Name="CSEExtensionId">{35378eac-683f-11d2-a89a-00c04fbbcfa2}</Data>
# <Data Name="CSEExtensionName">Registry</Data>
# <Data Name="IsExtensionAsyncProcessing">false</Data>
# <Data Name="IsGPOListChanged">true</Data>
# <Data Name="GPOListStatusString">%%4102</Data>
# <Data Name="DescriptionString">GPO TITLE</Data>
# <Data Name="ApplicableGPOList"><GPO ID=" LIST OF GPO’s>
# </EventData>
# </Event>
48 changes: 48 additions & 0 deletions evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4017.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
Author: Tony Knutson
Description: Making LDAP calls to connect and bind to Active Directory
EventId: 4017
Channel: Microsoft-Windows-GroupPolicy/Operational
Provider: Microsoft-Windows-GroupPolicy
Maps:

-
Property: PayloadData1
PropertyValue: "Domain: %Parameter%"
Values:
-
Name: Parameter
Value: "/Event/EventData/Data[@Name=\"Parameter\"]"
-
Property: PayloadData2
PropertyValue: "Description: %OperationDescription%"
Values:
-
Name: OperationDescription
Value: "/Event/EventData/Data[@Name=\"OperationDescription\"]"

#Documentation:
# https://kb.eventtracker.com/evtpass/evtpages/EventId_1501_Microsoft-Windows-GroupPolicy_62070.asp#:~:text=The%20Group%20Policy%20settings%20for,successful%20processing%20of%20Group%20Policy.
#
#Example Event Data:
#- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
#- <System>
# <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
# <EventID>4017</EventID>
# <Version>0</Version>
# <Level>4</Level>
# <Task>0</Task>
# <Opcode>0</Opcode>
# <Keywords>0x4000000000000000</Keywords>
# <TimeCreated SystemTime="2022-05-24T00:34:22.9179272Z" />
# <EventRecordID>513752</EventRecordID>
# <Correlation ActivityID="{6d8cc6ce-e631-493b-a5d0-2905e6dad63c}" />
# <Execution ProcessID="7780" ThreadID="14132" />
# <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel>
# <Computer>COMPUTER NAME</Computer>
# <Security UserID="S-1-5-18" />
# </System>
#- <EventData>
# <Data Name="OperationDescription">%%4119</Data>
# <Data Name="Parameter">DOMAIN</Data>
# </EventData>
# </Event>
79 changes: 79 additions & 0 deletions evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5379.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
Author: Tony Knutson
Description: Credential Manager credentials were read
EventId: 5379
Channel: Security
Provider: Microsoft-Windows-Security-Auditing
Maps:
-
Property: ExecutableInfo
PropertyValue: "%TargetName%"
Values:
-
Name: TargetName
Value: "/Event/EventData/Data[@Name=\"TargetName\"]"
-
Property: UserName
PropertyValue: "%SubjectUserName%"
Values:
-
Name: SubjectUserName
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Property: PayloadData1
PropertyValue: "SID: %SubjectUserSid%"
Values:
-
Name: SubjectUserSid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData2
PropertyValue: "Domain: %SubjectDomainName%"
Values:
-
Name: SubjectDomainName
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Property: PayloadData3
PropertyValue: "LogonID: %SubjectLogonId%"
Values:
-
Name: SubjectLogonId
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"


#Documentation:
#https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
#https://www.socinvestigation.com/windows-event-id-5379-to-detect-malicious-password-protected-file-unlock/
#
#Example Event Data:
#-<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# -<System>
# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
# <EventID>5379</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>13824</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8020000000000000</Keywords>
# <TimeCreated SystemTime="YYYY-MM-DD hh:mm:ssZ" />
# <EventRecordID>772430</EventRecordID>
# <Correlation ActivityID="{f762f5b4-bee5-4faa-a9a9-fdaa6ea76589}" />
# <Execution ProcessID="788" ThreadID="828" />
# <Channel>Security</Channel>
# <Computer>COMPUTER NAME</Computer>
# <Security />
# </System>
#- <EventData>
# <Data Name="SubjectUserSid">SID</Data>
# <Data Name="SubjectUserName">Username</Data>
# <Data Name="SubjectDomainName">Domain</Data>
# <Data Name="SubjectLogonId">0x3e7</Data>
# <Data Name="TargetName">TARGET</Data>
# <Data Name="Type">0</Data>
# <Data Name="CountOfCredentialsReturned">0</Data>
# <Data Name="ReadOperation">%%8100</Data>
# <Data Name="ReturnCode">3221226021</Data>
# <Data Name="ProcessCreationTime">YYYY-MM-DD hh:mm:ssZ</Data>
# <Data Name="ClientProcessId">1448</Data>
# </EventData>
#</Event>
Loading