/
!Channel-Name_Provider-Name_EventID.guide
169 lines (168 loc) · 8.73 KB
/
!Channel-Name_Provider-Name_EventID.guide
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
Author: Your name/contact information (optional) goes here
Description: Event description goes here without a period
EventId: EventID number goes here
Channel: Channel goes here
Provider: Provider goes here
# Delete all of these commented lines before submitting your map, including those after the Property values below. Alternatively, use the .template file located within this repo to get a running start on your map.
# Below is an example of Properties and how they can be used in your map.
# Filename for the map should follow the title of this file. _ separates Channel from Provider from EventID. - replaces any spaces or special characters in either Channel Name or Provider Name. Your filename may be long and that is okay.
# The value for "Property: " must be one of the following: RemoteHost, UserName, ExecutableInfo, PayloadData1, PayloadData2, PayloadData3, PayloadData4, PayloadData5, or PayloadData6. Please stick to this same casing scheme for uniformity (i.e. UserName vs Username).
# The value(s) for "PropertyValue: " must match whatever you list below under Values for the Name(s). PropertyValue will determine how the data pulled from Name and Value will look to the end user within the CSV output.
# When organizing your PayloadData columns, if your event is similar to preexisting maps, try to follow the same pattern others follow for consistency during analysis. A good example of this is the Sysmon logs.
# PayloadData5 below includes an example of using regex.
# PayloadData6 below includes an example of a Lookup Table.
# If your map calls for multiple lookup tables, please nest all lookups underneath a single "Lookups: " instance. For good examples of this, check out Security 4769 and 4771.
# No empty space between "Provider:" and "Maps:", please.
# After your last # line at the bottom of the map, hit Enter so there's a blank line underneath your last line of map content.
# If you're struggling with getting hits when you're making maps, read this awesome guide on XPATH: https://www.altova.com/training/xpath3
# Another way to hit nodes is to use this: /Event/EventData/Data[1] where 1 = the first node, 2 would be second, 3 would be third, and so on. So for the example at the bottom of this guide, there's over 20 different nodes!
Maps:
-
Property: UserName # UserName --> if at all possible, try to include DOMAIN\username if that information is recorded in the event.
PropertyValue: "%domain%\\%user%"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Property: RemoteHost # RemoteHost --> used for IP addresses, hostname, or anything else that could identify a remote host within an event.
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: TargetUserName
Value: "/Event/EventData/Data[2]" # this is another way you can hit a certain node within the XML below. TargetUserName is the second node, hence the [2]
-
Name: TargetDomainName
Value: "/Event/EventData/Data[3]" @ same as above, but it's the 3rd node, hence the [3]
-
Property: ExecutableInfo # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
PropertyValue: "%ProcessName%"
Values:
-
Name: ProcessName
Value: "/Event/EventData/Data[@Name=\"ProcessName\"]"
-
Property: PayloadData1 # PayloadData1 through PayloadData6 --> use these to logically organize the data that normally resides within the Payload column into something more human readable and easily scannable when examining EVTXECmd CSV output. Delete whatever you don't need as not all events have enough data to populate all 6 PayloadData columns.
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Property: PayloadData2
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Property: PayloadData3
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Property: PayloadData4
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
Values:
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Property: PayloadData5 # Here is an example of regex taken from Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2127.map.
PropertyValue: "%PayloadData5% assigned"
Values:
-
Name: PayloadData5
Value: "/Event/EventData/Data"
Refine: "IPv4 address: [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}"
-
Property: PayloadData6
PropertyValue: "Wake source: %WakeSourceType%"
Values:
-
Name: WakeSourceType
Value: "/Event/EventData/Data[@Name=\"WakeSourceType\"]"
Lookups: # Here is an example of a Lookup Table taken from System_Microsoft-Windows-Power-Troubleshooter_1.map. For more examples, check Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1026.map and System_Microsoft-Windows-Kernel-Power_42.map.
-
Name: WakeSourceType
Default: Unknown code
Values:
0: Unknown
1: Power button
3: Waking from sleep to hibernate
5: Device (See WakeSourceText for details)
6: Timer (See WakeSourceText for details)
# Delete this line. Please follow the below format when submitting your map. Also, be sure to test your map out on your own data so you know it produces the desired result!
#
# Documentation:
# insert relevant link(s) here, i.e. official Microsoft documentation, any relevant research, blogs, etc. One URL per line, please, and be sure to comment it out! If there is none, please write N/A.
#
# Delete this line. Under Example Event Data, please "cite your source" and cleanse your data of any identifying information so the community can see how these events record the data in the XML format. To convert a .evtx file to XML format, check the README and search for XML. Microsoft often has example XML data that can be used. For other events, be sure sensitive data is removed before you make a commit to GitHub!
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
# <EventID>4742</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>13825</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8020000000000000</Keywords>
# <TimeCreated SystemTime="2015-08-14T02:35:01.252397000Z" />
# <EventRecordID>171754</EventRecordID>
# <Correlation />
# <Execution ProcessID="520" ThreadID="1108" />
# <Channel>Security</Channel>
# <Computer>DC01.contoso.local</Computer>
# <Security />
# </System>
# <EventData>
# <Data Name="ComputerAccountChange">-</Data>
# <Data Name="TargetUserName">WIN81$</Data>
# <Data Name="TargetDomainName">CONTOSO</Data>
# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data>
# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
# <Data Name="SubjectUserName">dadmin</Data>
# <Data Name="SubjectDomainName">CONTOSO</Data>
# <Data Name="SubjectLogonId">0x2e80c</Data>
# <Data Name="PrivilegeList">-</Data>
# <Data Name="SamAccountName">-</Data>
# <Data Name="DisplayName">-</Data>
# <Data Name="UserPrincipalName">-</Data>
# <Data Name="HomeDirectory">-</Data>
# <Data Name="HomePath">-</Data>
# <Data Name="ScriptPath">-</Data>
# <Data Name="ProfilePath">-</Data>
# <Data Name="UserWorkstations">-</Data>
# <Data Name="PasswordLastSet">-</Data>
# <Data Name="AccountExpires">-</Data>
# <Data Name="PrimaryGroupId">-</Data>
# <Data Name="AllowedToDelegateTo">%%1793</Data>
# <Data Name="OldUacValue">0x80</Data>
# <Data Name="NewUacValue">0x2080</Data>
# <Data Name="UserAccountControl">%%2093</Data>
# <Data Name="UserParameters">-</Data>
# <Data Name="SidHistory">-</Data>
# <Data Name="LogonHours">-</Data>
# <Data Name="DnsHostName">-</Data>
# <Data Name="ServicePrincipalNames">-</Data>
# </EventData>
# </Event>