Merge pull request #92 from rathbuna/master

Update Sysmon Documentation

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map

@@ -71,6 +71,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 # https://jpcertcc.github.io/ToolAnalysisResultSheet
 #

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map

@@ -57,6 +57,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map

@@ -39,6 +39,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map

@@ -46,6 +46,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map

@@ -53,6 +53,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 # https://jpcertcc.github.io/ToolAnalysisResultSheet
 #

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map

@@ -46,6 +46,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map

@@ -46,6 +46,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_16.map

@@ -22,6 +22,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map

@@ -33,6 +33,7 @@ Maps:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map

@@ -33,6 +33,7 @@ Maps:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_19.map

@@ -57,6 +57,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map

@@ -54,6 +54,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_20.map

@@ -64,6 +64,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_21.map

@@ -50,6 +50,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map

@@ -53,6 +53,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_23.map

@@ -67,6 +67,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_24.map

@@ -61,6 +61,7 @@ Maps:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # sysmon64.exe -s will list examples of data stored for each Sysmon event. This was done for this particular event.
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_25.map

@@ -40,6 +40,8 @@ Maps:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
+# https://medium.com/falconforce/sysmon-13-process-tampering-detection-820366138a6c
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # sysmon64.exe -s will list examples of data stored for each Sysmon event. This was done for this particular event.
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map

@@ -61,6 +61,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 # https://jpcertcc.github.io/ToolAnalysisResultSheet
 #

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_4.map

@@ -30,6 +30,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:                                                                                            

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map

@@ -25,6 +25,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_6.map

@@ -50,6 +50,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map

@@ -53,6 +53,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map

@@ -56,6 +56,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map

@@ -32,6 +32,7 @@ Maps:
 # Documentation:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
+# https://www.blackhillsinfosec.com/a-sysmon-event-id-breakdown/
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
 #
 # Example Event Data: