Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new maps #81

Merged
merged 8 commits into from
Dec 31, 2020
Merged

Add new maps #81

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4386fa9
Merge pull request #11 from EricZimmerman/master
AndrewRathbun Dec 29, 2020
02ce284
Update System_Service-Control-Manager_7036.map
AndrewRathbun Dec 30, 2020
0059aff
Merge pull request #12 from EricZimmerman/master
AndrewRathbun Dec 31, 2020
c4558c3
Create Security_Microsoft-Windows-Security-Auditing_4781.map
AndrewRathbun Dec 31, 2020
ea56528
Create Security_Microsoft-Windows-Security-Auditing_4733.map
AndrewRathbun Dec 31, 2020
50335f0
Create Security_Microsoft-Windows-Security-Auditing_4782.map
AndrewRathbun Dec 31, 2020
ec0b9a9
Update Security_Microsoft-Windows-Security-Auditing_4781.map
AndrewRathbun Dec 31, 2020
cd97a7e
Create Security_Microsoft-Windows-Security-Auditing_4793.map
AndrewRathbun Dec 31, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4733.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
Author: Andrew Rathbun
Description: A member was removed from a security-enabled local group
EventId: 4733
Channel: Security
Provider: Microsoft-Windows-Security-Auditing
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user% (%sid%)"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Name: sid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData1
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)"
Values:
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetSid
Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
-
Property: PayloadData2
PropertyValue: "SubjectLogonId: %SubjectLogonId%"
Values:
-
Name: SubjectLogonId
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
-
Property: PayloadData3
PropertyValue: "MemberName: %MemberName%"
Values:
-
Name: MemberName
Value: "/Event/EventData/Data[@Name=\"MemberName\"]"
-
Property: PayloadData4
PropertyValue: "MemberSid: %MemberSid%"
Values:
-
Name: MemberSid
Value: "/Event/EventData/Data[@Name=\"MemberSid\"]"
-
Property: PayloadData5
PropertyValue: "PrivilegeList: %PrivilegeList%"
Values:
-
Name: PrivilegeList
Value: "/Event/EventData/Data[@Name=\"PrivilegeList\"]"

# Documentation:
# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733
# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
# <EventID>4733</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>13826</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8020000000000000</Keywords>
# <TimeCreated SystemTime="2015-08-19T16:51:00.376806500Z" />
# <EventRecordID>175037</EventRecordID>
# <Correlation />
# <Execution ProcessID="520" ThreadID="1524" />
# <Channel>Security</Channel>
# <Computer>DC01.contoso.local</Computer>
# <Security />
# </System>
# <EventData>
# <Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
# <Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
# <Data Name="TargetUserName">AccountOperators</Data>
# <Data Name="TargetDomainName">CONTOSO</Data>
# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
# <Data Name="SubjectUserName">dadmin</Data>
# <Data Name="SubjectDomainName">CONTOSO</Data>
# <Data Name="SubjectLogonId">0x35e38</Data>
# <Data Name="PrivilegeList">-</Data>
# </EventData>
# </Event>
82 changes: 82 additions & 0 deletions evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4781.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
Author: Andrew Rathbun
Description: The name of an account was changed
EventId: 4781
Channel: Security
Provider: Microsoft-Windows-Security-Auditing
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user% (%sid%)"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Name: sid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData1
PropertyValue: "OldTargetUserName: %OldTargetUserName%"
Values:
-
Name: OldTargetUserName
Value: "/Event/EventData/Data[@Name=\"OldTargetUserName\"]"
-
Property: PayloadData2
PropertyValue: "NewTargetUserName: %NewTargetUserName%"
Values:
-
Name: NewTargetUserName
Value: "/Event/EventData/Data[@Name=\"NewTargetUserName\"]"
-
Property: PayloadData3
PropertyValue: "TargetDomainName: %TargetDomainName%"
Values:
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Property: PayloadData4
PropertyValue: "TargetSid: %TargetSid%"
Values:
-
Name: TargetSid
Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"

# Documentation:
# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781
#
# Example Event Data:
#<Event>
# <System>
# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54856625-5478-7794-a5ba-3e3b0328c30d" />
# <EventID>4781</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>13784</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8020000000000000</Keywords>
# <TimeCreated SystemTime="2020-10-02 02:02:00.0351195" />
# <EventRecordID>210012591</EventRecordID>
# <Correlation ActivityID="f145a4ae-985f-0000-a1a4-61h15f98d601" />
# <Execution ProcessID="774" ThreadID="768" />
# <Channel>Security</Channel>
# <Computer>hostname</Computer>
# <Security />
# </System>
# <EventData>
# <Data Name="OldTargetUserName">Administrators</Data>
# <Data Name="NewTargetUserName">Administrators</Data>
# <Data Name="TargetDomainName">Builtin</Data>
# <Data Name="TargetSid">S-1-5-32-123</Data>
# <Data Name="SubjectUserSid">S-1-5-18</Data>
# <Data Name="SubjectUserName">username</Data>
# <Data Name="SubjectDomainName">domain</Data>
# <Data Name="SubjectLogonId">0x3E7</Data>
# <Data Name="PrivilegeList">-</Data>
# </EventData>
#</Event>
69 changes: 69 additions & 0 deletions evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4782.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
Author: Andrew Rathbun
Description: The password hash of an account was accessed
EventId: 4782
Channel: Security
Provider: Microsoft-Windows-Security-Auditing
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user% (%sid%)"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Name: sid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData1
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Property: PayloadData2
PropertyValue: "SubjectLogonId: %SubjectLogonId%"
Values:
-
Name: SubjectLogonId
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"

# Documentation:
# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782
# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782
#
# Example Event Data:
#<Event>
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
# <EventID>4782</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>13829</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8020000000000000</Keywords>
# <TimeCreated SystemTime="2015-08-18T21:23:46.435367800Z" />
# <EventRecordID>174829</EventRecordID>
# <Correlation />
# <Execution ProcessID="512" ThreadID="1232" />
# <Channel>Security</Channel>
# <Computer>DC01.contoso.local</Computer>
# <Security />
# </System>
# <EventData>
# <Data Name="TargetUserName">Andrei</Data>
# <Data Name="TargetDomainName">CONTOSO</Data>
# <Data Name="SubjectUserSid">S-1-5-18</Data>
# <Data Name="SubjectUserName">DC01$</Data>
# <Data Name="SubjectDomainName">CONTOSO</Data>
# <Data Name="SubjectLogonId">0x3e7</Data>
# </EventData>
# </Event>
80 changes: 80 additions & 0 deletions evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4793.map
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
Author: Andrew Rathbun
Description: The Password Policy Checking API was called
EventId: 4793
Channel: Security
Provider: Microsoft-Windows-Security-Auditing
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user% (%sid%)"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Name: sid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData1
PropertyValue: "Target: %TargetUserName%"
Values:
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Property: PayloadData2
PropertyValue: "Workstation: %Workstation%"
Values:
-
Name: Workstation
Value: "/Event/EventData/Data[@Name=\"Workstation\"]"
-
Property: PayloadData3
PropertyValue: "Status: %Status%"
Values:
-
Name: Status
Value: "/Event/EventData/Data[@Name=\"Status\"]"
-
Property: PayloadData4
PropertyValue: "SubjectLogonId: %SubjectLogonId%"
Values:
-
Name: SubjectLogonId
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"

# Documentation:
# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793
# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
# <EventID>4793</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>13829</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8020000000000000</Keywords>
# <TimeCreated SystemTime="2015-08-18T02:37:46.322424300Z" />
# <EventRecordID>172342</EventRecordID>
# <Correlation />
# <Execution ProcessID="520" ThreadID="2964" />
# <Channel>Security</Channel>
# <Computer>DC01.contoso.local</Computer>
# <Security />
# </System>
# <EventData>
# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
# <Data Name="SubjectUserName">dadmin</Data>
# <Data Name="SubjectDomainName">CONTOSO</Data>
# <Data Name="SubjectLogonId">0x36f67</Data>
# <Data Name="Workstation">DC01</Data>
# <Data Name="TargetUserName">-</Data>
# <Data Name="Status">0x0</Data>
# </EventData>
# </Event>
2 changes: 1 addition & 1 deletion evtx/Maps/System_Service-Control-Manager_7036.map
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Provider: Service Control Manager
Maps:
-
Property: PayloadData1
PropertyValue: "Name: %ServiceName%%ServiceName2%" #This is a special case in that data may exist in several forms. Here we look for both and use the one we find. =)
PropertyValue: "Name: %ServiceName% | %ServiceName2%" #This is a special case in that data may exist in several forms. Here we look for both and use the one we find. =)
Values:
-
Name: ServiceName
Expand Down