Skip to content

Commit

Permalink
Merge pull request #165 from CluelessAtCoding/master
Browse files Browse the repository at this point in the history
Create Security_Microsoft-Windows-Security-Auditing_4728.map
  • Loading branch information
AndrewRathbun committed Sep 17, 2021
2 parents b4efe7e + 1965f7d commit 4a82219
Showing 1 changed file with 89 additions and 0 deletions.
89 changes: 89 additions & 0 deletions evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4728.map
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
Author: Paul Elliott (cluelessatcoding@outlook.com)
Description: A member was added to a security-enabled global group
EventId: 4728
Channel: Security
Provider: Microsoft-Windows-Security-Auditing
Maps:
-
Property: UserName
PropertyValue: "%domain%\\%user% (%sid%)"
Values:
-
Name: domain
Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
-
Name: user
Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
-
Name: sid
Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
-
Property: PayloadData1
PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)"
Values:
-
Name: TargetUserName
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
-
Name: TargetDomainName
Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
-
Name: TargetSid
Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
-
Property: PayloadData2
PropertyValue: "Member: %MemberName%"
Values:
-
Name: MemberName
Value: "/Event/EventData/Data[@Name=\"MemberName\"]"
-
Property: PayloadData3
PropertyValue: "MemberSid: %MemberSid%"
Values:
-
Name: MemberSid
Value: "/Event/EventData/Data[@Name=\"MemberSid\"]"
-
Property: PayloadData4
PropertyValue: "SubjectLogonId: %SubjectLogonId%"
Values:
-
Name: SubjectLogonId
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"

# Documentation:
# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728
# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4728
#
# Example Event Data:
# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
# <System>
# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
# <EventID>4728</EventID>
# <Version>0</Version>
# <Level>0</Level>
# <Task>13826</Task>
# <Opcode>0</Opcode>
# <Keywords>0x8020000000000000</Keywords>
# <TimeCreated SystemTime="2021-01-22T08:20:34.3953497Z" />
# <EventRecordID>193106491</EventRecordID>
# <Correlation />
# <Execution ProcessID="676" ThreadID="6176" />
# <Channel>Security</Channel>
# <Computer>DC01.Contoso.com</Computer>
# <Security />
# </System>
# <EventData>
# <Data Name="MemberName">CN=Joe Bloggs,OU=Office,OU=Country,DC=Contoso,DC=Com</Data>
# <Data Name="MemberSid">S-1-5-21-1234567890-1234567890-123456789-12345</Data>
# <Data Name="TargetUserName">The_Group</Data>
# <Data Name="TargetDomainName">CONTOSO</Data>
# <Data Name="TargetSid">S-1-5-21-1234567890-1234567890-123456789-12346</Data>
# <Data Name="SubjectUserSid">S-1-5-21-1234567890-1234567890-123456789-12347</Data>
# <Data Name="SubjectUserName">admin.fred</Data>
# <Data Name="SubjectDomainName">CONTOSO</Data>
# <Data Name="SubjectLogonId">0xabcdef</Data>
# <Data Name="PrivilegeList">-</Data>
# </EventData>
# </Event>

0 comments on commit 4a82219

Please sign in to comment.