EricZimmerman · AndrewRathbun · Dec 25, 2020 · Dec 25, 2020 · Dec 25, 2020 · Dec 25, 2020
diff --git a/evtx/Maps/Application_Application-Error_1000.map b/evtx/Maps/Application_Application-Error_1000.map
@@ -0,0 +1,47 @@
+Author: Andrew Rathbun
+Description: Application Error
+EventId: 1000
+Channel: Application
+Provider: "Application Error"
+Maps:
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ExecutableInfo%"
+    Values: 
+      - 
+        Name: ExecutableInfo
+        Value: "/Event/EventData/Data"
+        Refine: ([a-zA-Z0-9_\\.\-\(\):])+(.exe|.dll)
+
+# Documentation:
+# https://www.minitool.com/news/event-id-1000.html
+# https://answers.microsoft.com/en-us/windows/forum/windows_7-performance/how-do-i-fix-error-code-1000-application-crashes/19caa618-0ec8-43e5-9544-313f44b42c3a
+# https://windowsreport.com/event-1000-application-error-windows-10/
+# https://appuals.com/how-to-fix-event-1000-application-error-on-windows-10/
+# I've personally seen malicious executables being recorded in these events given that malware is inherently unstable and meant to cause destruction on the host system. 
+# Please add any other file extensions as you see fit.
+# As always, check the Payload column for all info recorded for this event.
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Application Error" />
+#    <EventID Qualifiers="0">1000</EventID>
+#    <Version>0</Version>
+#    <Level>2</Level>
+#    <Task>100</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-11-26 18:15:52.2640182" />
+#    <EventRecordID>12237</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="0" ThreadID="0" />
+#    <Channel>Application</Channel>
+#    <Computer>HOSTNAME</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>Battle.net.exe, 1.29.0.12511, 5fb30cf2, battle.net.dll, 1.29.0.12511, 5fb30cd7, c0000006, 01034c81, 6c3c, 01d6c40460409565, E:\Battle.net\Battle.net.exe, E:\Battle.net\Battle.net.12511\battle.net.dll, f380f3b9-326d-4192-bd08-453b67cf1de0</Data>
+#    <Binary></Binary>
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Application_Windows-Error-Reporting_1001.map b/evtx/Maps/Application_Windows-Error-Reporting_1001.map
@@ -0,0 +1,46 @@
+Author: Andrew Rathbun
+Description: Application Crash
+EventId: 1001
+Channel: Application
+Provider: "Windows Error Reporting"
+Maps:
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ExecutableInfo%"
+    Values: 
+      - 
+        Name: ExecutableInfo
+        Value: "/Event/EventData/Data"
+        Refine: ([a-zA-Z0-9_\\.\-\(\):])+(.exe|.dll)
+
+# Documentation:
+# https://social.technet.microsoft.com/wiki/contents/articles/3116.event-id-1001-windows-error-reporting.aspx
+# https://www.manageengine.com/products/eventlog/kb/event-1001-windows-error-help.html
+# I've personally seen malicious executables being recorded in these events given that malware is inherently unstable and meant to cause destruction on the host system. 
+# Please add any other file extensions as you see fit.
+# As always, check the Payload column for all info recorded for this event.
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Windows Error Reporting" />
+#    <EventID Qualifiers="0">1001</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-11-26 18:16:01.6874915" />
+#    <EventRecordID>12240</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="0" ThreadID="0" />
+#    <Channel>Application</Channel>
+#    <Computer>HOSTNAME</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>2197605730095248713, 1, APPCRASH, Not available, 0, Battle.net.exe, 1.29.0.12511, 5fb30cf2, battle.net.dll, 1.29.0.12511, 5fb30cd7, c0000006, 01034c81, 
+#\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6AD.tmp.WERInternalMetadata.xml, \\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Battle.net.exe_07df855d37a14863a6117edd6f7142347b0a57d_11b545ed_04b66fa9-9d42-4380-a370-51bdd98f4e80, 0, f380f3b9-326d-4192-bd08-453b67cf1de0, 268435456, a5a0ff54bdfc3e434e7f76c4a2b0b549, 0</Data>
+#    <Binary></Binary>
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map
@@ -33,6 +33,7 @@ Maps:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
+# https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
 #
 # Example Event Data:
 #<Event>

diff --git a/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map
@@ -33,6 +33,7 @@ Maps:
 # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events
 # https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx - filter on Sysmon
+# https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
 #
 # Example Event Data:
 #<Event>

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4768.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4768.map
@@ -4,6 +4,16 @@ EventId: 4768
 Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
+  - 
+    Property: RemoteHost
+    PropertyValue: "%ipAddress%:%port%"
+    Values: 
+      - 
+        Name: ipAddress
+        Value: "/Event/EventData/Data[@Name=\"IpAddress\"]"
+      - 
+        Name: port
+        Value: "/Event/EventData/Data[@Name=\"IpPort\"]"
   - 
     Property: PayloadData1
     PropertyValue: "Target: %domain%\\%user%"
@@ -14,6 +24,41 @@ Maps:
       - 
         Name: user
         Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "ServiceName: %ServiceName%"
+    Values: 
+      - 
+        Name: ServiceName
+        Value: "/Event/EventData/Data[@Name=\"ServiceName\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "ServiceSid: %ServiceSid%"
+    Values: 
+      - 
+        Name: ServiceSid
+        Value: "/Event/EventData/Data[@Name=\"ServiceSid\"]"
+  - 
+    Property: PayloadData4
+    PropertyValue: "TicketEncryptionType: %TicketEncryptionType%"
+    Values: 
+      - 
+        Name: TicketEncryptionType
+        Value: "/Event/EventData/Data[@Name=\"TicketEncryptionType\"]"
+
+Lookups:
+  -
+    Name: TicketEncryptionType
+    Default: Unknown code
+    Values:
+        0x1: DES-CBC-CRC
+        0x3: DES-CBC-MD5
+        0x11: AES128-CTS-HMAC-SHA1-96
+        0x12: AES256-CTS-HMAC-SHA1-96
+        0x17: RC4-HMAC
+        0x18: RC4-HMAC-EXP
+        0xFFFFFFFF: Audit Failure
+        0xffffffff: Audit Failure
 
 # Documentation:
 # https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768