From 60b31277a9994eebaccf5c6ba3c7e45ec278cea9 Mon Sep 17 00:00:00 2001
From: Gabriele Zambelli <8271353+forensenellanebbia@users.noreply.github.com>
Date: Thu, 24 Dec 2020 00:56:13 +0100
Subject: [PATCH 1/2] New maps
---
...pplication_Citrix-Desktop-Service_1027.map | 45 ++++++++++++++++++
...pplication_Citrix-Desktop-Service_1049.map | 37 +++++++++++++++
.../Maps/Application_MetaFrameEvents_1106.map | 46 +++++++++++++++++++
evtx/Maps/Application_WSH_0.map | 36 +++++++++++++++
4 files changed, 164 insertions(+)
create mode 100644 evtx/Maps/Application_Citrix-Desktop-Service_1027.map
create mode 100644 evtx/Maps/Application_Citrix-Desktop-Service_1049.map
create mode 100644 evtx/Maps/Application_MetaFrameEvents_1106.map
create mode 100644 evtx/Maps/Application_WSH_0.map
diff --git a/evtx/Maps/Application_Citrix-Desktop-Service_1027.map b/evtx/Maps/Application_Citrix-Desktop-Service_1027.map
new file mode 100644
index 00000000..750632b5
--- /dev/null
+++ b/evtx/Maps/Application_Citrix-Desktop-Service_1027.map
@@ -0,0 +1,45 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Citrix user session started
+EventId: 1027
+Channel: Application
+Provider: "Citrix Desktop Service"
+Maps:
+ -
+ Property: Username
+ PropertyValue: "Target: %user%"
+ Values:
+ -
+ Name: user
+ Value: "/Event/EventData/Data"
+ Refine: "^.*(?=, )"
+ -
+ Property: PayloadData1
+ PropertyValue: "SessionID: %SessionID%"
+ Values:
+ -
+ Name: SessionID
+ Value: "/Event/EventData/Data"
+ Refine: "[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}"
+
+# Documentation:
+# https://discussions.citrix.com/topic/342198-xendesktop-7-interactive-session-slows-logon/page/9/
+#
+# Example Event Data:
+#
+ #
+ #
+ # 1027
+ # 4
+ # 0
+ # 0x80000000000000
+ #
+ # 359095
+ # Application
+ # hostname
+ #
+ #
+ #
+ # remoteuser, 1234abcd-12ab-12ab-12ab-123456abcdef
+ #
+ #
+#
diff --git a/evtx/Maps/Application_Citrix-Desktop-Service_1049.map b/evtx/Maps/Application_Citrix-Desktop-Service_1049.map
new file mode 100644
index 00000000..5970bd4d
--- /dev/null
+++ b/evtx/Maps/Application_Citrix-Desktop-Service_1049.map
@@ -0,0 +1,37 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Citrix user session disconnected
+EventId: 1049
+Channel: Application
+Provider: "Citrix Desktop Service"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "SessionID: %SessionID%"
+ Values:
+ -
+ Name: SessionID
+ Value: "/Event/EventData/Data"
+
+# Documentation:
+# https://computergarage.org/citrix-desktop-service-eventid-1049-the-session-was-disconnected.html
+#
+# Example Event Data:
+#
+ #
+ #
+ # 1049
+ # 4
+ # 0
+ # 0x80000000000000
+ #
+ # 3590389
+ # Application
+ # hostname
+ #
+ #
+ #
+ # 1234abcd-12ab-12ab-12ab-123456abcdef
+ #
+ #
+#
+
diff --git a/evtx/Maps/Application_MetaFrameEvents_1106.map b/evtx/Maps/Application_MetaFrameEvents_1106.map
new file mode 100644
index 00000000..e447ef23
--- /dev/null
+++ b/evtx/Maps/Application_MetaFrameEvents_1106.map
@@ -0,0 +1,46 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Citrix client printer auto-creation failed
+EventId: 1106
+Channel: Application
+Provider: MetaFrameEvents
+Maps:
+ -
+ Property: RemoteHost
+ PropertyValue: "%ClientName%"
+ Values:
+ -
+ Name: ClientName
+ Value: "/Event/EventData/Data"
+ Refine: "^[a-z0-9-]*"
+ -
+ Property: PayloadData1
+ PropertyValue: "Printer: %Printer%"
+ Values:
+ -
+ Name: Printer
+ Value: "/Event/EventData/Data"
+ Refine: "(?<=, ).*"
+
+# Documentation:
+# https://support.citrix.com/article/CTX137114
+#
+# Example Event Data:
+#
+ #
+ #
+ # 1106
+ # 3
+ # 2
+ # 0x80000000000000
+ #
+ # 3587921
+ # Application
+ # hostname
+ #
+ #
+ #
+ # NOTEBOOK, Brother PC-FAX v.3.2 #2 (from NOTEBOOK) in session 2, Brother PC-FAX v.3.2
+ #
+ #
+#
+
diff --git a/evtx/Maps/Application_WSH_0.map b/evtx/Maps/Application_WSH_0.map
new file mode 100644
index 00000000..290c818c
--- /dev/null
+++ b/evtx/Maps/Application_WSH_0.map
@@ -0,0 +1,36 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Windows Script Host (WSH)
+EventId: 0
+Channel: Application
+Provider: WSH
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "%PayloadData1%"
+ Values:
+ -
+ Name: PayloadData1
+ Value: "/Event/EventData/Data"
+
+# Documentation:
+# http://www.eventid.net/display-eventid-0-source-WSH-eventno-3533-phase-1.htm
+#
+# Example Event Data:
+#
+ #
+ #
+ # 0
+ # 0
+ # 0
+ # 0x80000000000000
+ #
+ # 359861
+ # Application
+ # hostname
+ #
+ #
+ #
+ #
+ #
+ #
+#
From 43564f6060f4102d32e40dfc2fbcd1e1918a011b Mon Sep 17 00:00:00 2001
From: Gabriele Zambelli <8271353+forensenellanebbia@users.noreply.github.com>
Date: Thu, 24 Dec 2020 01:00:46 +0100
Subject: [PATCH 2/2] Updated documentation and fixed regexp
---
...erminalServices-ClientActiveXCore_1029.map | 30 ++++++++++++++++---
...Symantec-Endpoint-Protection-Client_51.map | 4 +--
2 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map
index f143abe2..f281b5b9 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map
@@ -23,10 +23,32 @@ Maps:
# Documentation:
# Windows Event ID 1029 Hashes: https://nullsec.us/windows-event-id-1029-hashes/
# CyberChef recipes to calculate the same encoded value from a known username
-# Windows 7 : Base64(SHA1(UserName))
-# - https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA1()From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
-# Windows 10: Base64(SHA256(UserName))
-# - https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA2('256')From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
+# OS : Windows 7 / Windows Server 2008 R2
+# Hash : Base64(SHA1(UserName))
+# Recipe : https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA1()From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
+# Example:
+# Input = administrator
+# Output = /6UN2Oco6V2sEKuooAIuzrrOUrk=
+#
+# OS : Windows 10
+# Hash : Base64(SHA256(UserName))
+# Recipe: https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA2('256')From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')
+# Example:
+# Input = administrator
+# Output = WAlZ81aqzLQmoWEfQivmPQwJxIm/XQcDjplQdjznr5E=
+#
+# If you need to decode a large number of encoded values, try my recipe for CyberChef. These are the steps to follow:
+# 1) Copy and paste the following recipe into CyberChef:
+# Compact JSON:
+# [{"op":"Unique","args":["Line feed"]},{"op":"Fork","args":["\\n","\\n",false]},{"op":"Find / Replace","args":[{"option":"Regex","string":"-\\\\-"},"",true,false,true,false]},{"op":"Find / Replace","args":[{"option":"Regex","string":"(User Name|Payload Data.|Target: |Target \\(encoded\\).*| \\(S\\-.*\\)|NETWORK SERVICE)"},"",true,false,true,false]},{"op":"Find / Replace","args":[{"option":"Regex","string":"(^.*\\\\|S-[0-9\\-]*)"},"",true,false,true,false]},{"op":"Register","args":["([\\s\\S]*)",true,false,false]},{"op":"Decode text","args":["UTF-8 (65001)"]},{"op":"Encode text","args":["UTF-16LE (1200)"]},{"op":"SHA1","args":[],"disabled":true},{"op":"SHA2","args":["256"]},{"op":"From Hex","args":["Space"]},{"op":"To Base64","args":["A-Za-z0-9+/="]},{"op":"Register","args":["([\\s\\S]*)",true,false,false]},{"op":"Find / Replace","args":[{"option":"Simple string","string":"$R1"},"$R1,$R0",true,false,true,false]},{"op":"Merge","args":[]},{"op":"Unique","args":["Line feed"]},{"op":"Sort","args":["Line feed",false,"Alphabetical (case insensitive)"]},{"op":"To Table","args":[",","\\r\\n",false,"HTML"]}]
+# 2) From CyberChef, disable or remove the hash operation (SHA1 or SHA2) that you don't need
+# 3) From Timeline Explorer:
+# - Column "User Name" : copy all the non-blank values
+# - Column "Payload Data1": copy all the values containing "Target:"
+# 4) Paste what you just copied into the input area of CyberChef (no need to clean or dedupe the input before pasting)
+# 5) Bake!
+#
+# Articles:
# https://cyber-tls.blogspot.com/2019/08/rdp.html
# https://social.technet.microsoft.com/wiki/contents/articles/37847.rdp-direct-connection-with-nla-remote-desktop-client-event-logs.aspx
# https://nullsec.us/windows-rdp-related-event-logs-the-client-side-of-the-story/
diff --git a/evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map b/evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map
index e020c090..99eafcc9 100644
--- a/evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map
+++ b/evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map
@@ -14,12 +14,12 @@ Maps:
Refine: "(?<=File: ).*(?= by: )"
-
Property: PayloadData1
- PropertyValue: "%PayloadData1%"
+ PropertyValue: "Risk: %PayloadData1%"
Values:
-
Name: PayloadData1
Value: "/Event/EventData/Data"
- Refine: "^.*(?= in File:)"
+ Refine: "(?<=Security Risk Found! ).*(?= in File:)"
-
Property: PayloadData2
PropertyValue: "%PayloadData2%"