Add new maps

evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_400.map

@@ -0,0 +1,96 @@
+Author: Andrew Rathbun
+Description: Device driver error
+EventId: 400
+Channel: "Microsoft-Windows-Kernel-PnP/Configuration"
+Provider: "Microsoft-Windows-Kernel-PnP"
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "MatchingDeviceId: %MatchingDeviceId%"
+    Values: 
+      - 
+        Name: MatchingDeviceId
+        Value: "/Event/EventData/Data[@Name=\"MatchingDeviceId\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "DriverSection: %DriverSection%"
+    Values: 
+      - 
+        Name: DriverSection
+        Value: "/Event/EventData/Data[@Name=\"DriverSection\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "DriverProvider: %DriverProvider%"
+    Values: 
+      - 
+        Name: DriverProvider
+        Value: "/Event/EventData/Data[@Name=\"DriverProvider\"]"
+  - 
+    Property: PayloadData4                                                  	
+    PropertyValue: "DeviceUpdated: %DeviceUpdated%"
+    Values: 
+      - 
+        Name: DeviceUpdated
+        Value: "/Event/EventData/Data[@Name=\"DeviceUpdated\"]"
+  - 
+    Property: PayloadData5                                                  	
+    PropertyValue: "ParentDeviceInstanceId: %ParentDeviceInstanceId%"
+    Values: 
+      - 
+        Name: ParentDeviceInstanceId
+        Value: "/Event/EventData/Data[@Name=\"ParentDeviceInstanceId\"]"
+  -
+    Property: PayloadData6
+    PropertyValue: "DeviceInstanceID: %DeviceInstanceID%"
+    Values: 
+      - 
+        Name: DeviceInstanceID
+        Value: "/Event/EventData/Data[@Name=\"DeviceInstanceID\"]"
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%DriverName%"
+    Values: 
+      - 
+        Name: DriverName
+        Value: "/Event/EventData/Data[@Name=\"DriverName\"]"
+
+# Documentation:
+# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-rank-ranges--windows-vista-and-later-
+# https://www.eventid.net/displayqueue.asp?eventid=400
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Kernel-PnP" Guid="9c679a39-1250-487d-abd7-e831c6290539" />
+#    <EventID>400</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x4000000500000000</Keywords>
+#    <TimeCreated SystemTime="2019-06-25 16:54:32.9955521" />
+#    <EventRecordID>2811</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="4" ThreadID="4568" />
+#    <Channel>Microsoft-Windows-Kernel-PnP/Configuration</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="DeviceInstanceId">SWD\PRINTENUM\{3CDEEBDB-6F0B-4ECB-94CD-3151F17A3B59}</Data>
+#    <Data Name="DriverName">printqueue.inf</Data>
+#    <Data Name="ClassGuid">1ed2fff9-11f0-4084-b21f-ad83a8e6dcdc</Data>
+#    <Data Name="DriverDate">06/21/2006</Data>
+#    <Data Name="DriverVersion">10.0.14393.0</Data>
+#    <Data Name="DriverProvider">Microsoft</Data>
+#    <Data Name="DriverInbox">True</Data>
+#    <Data Name="DriverSection">NO_DRV_LOCAL</Data>
+#    <Data Name="DriverRank">0x1</Data>
+#    <Data Name="MatchingDeviceId">PRINTENUM\LocalPrintQueue</Data>
+#    <Data Name="OutrankedDrivers">oem0.inf:{013f01fa-e634-4d77-83ee-074817c03581}:00FF0002 c_swdevice.inf:SWD\GenericRaw:00FF3001</Data>
+#    <Data Name="DeviceUpdated">False</Data>
+#    <Data Name="Status">0x0</Data>
+#    <Data Name="ParentDeviceInstanceId">SWD\PRINTENUM\PrintQueues</Data>
+#  </EventData>
+#</Event>

evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_410.map

@@ -0,0 +1,75 @@
+Author: Andrew Rathbun
+Description: Device driver error
+EventId: 410
+Channel: "Microsoft-Windows-Kernel-PnP/Configuration"
+Provider: "Microsoft-Windows-Kernel-PnP"
+Maps: 
+- 
+    Property: PayloadData1
+    PropertyValue: "ServiceName: %ServiceName%"
+    Values: 
+      - 
+        Name: ServiceName
+        Value: "/Event/EventData/Data[@Name=\"ServiceName\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "Problem: %Problem%"
+    Values: 
+      - 
+        Name: Problem
+        Value: "/Event/EventData/Data[@Name=\"Problem\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "Status: %Status%"
+    Values: 
+      - 
+        Name: Status
+        Value: "/Event/EventData/Data[@Name=\"Status\"]"
+  -
+    Property: PayloadData6
+    PropertyValue: "DeviceInstanceID: %DeviceInstanceID%"
+    Values: 
+      - 
+        Name: DeviceInstanceID
+        Value: "/Event/EventData/Data[@Name=\"DeviceInstanceID\"]"
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%DriverName%"
+    Values: 
+      - 
+        Name: DriverName
+        Value: "/Event/EventData/Data[@Name=\"DriverName\"]"
+
+# Documentation:
+# https://answers.microsoft.com/en-us/windows/forum/windows_8-hardware/event-410-kernel-pnp-logged-for-my-keyboard-the/36772d4b-8217-473e-8ffe-9e0b6b7f4cfa
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Kernel-PnP" Guid="9c205a39-1250-487d-abd7-e831c6290539" />
+#    <EventID>410</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x4000000090000000</Keywords>
+#    <TimeCreated SystemTime="2019-08-30 17:58:17.3774575" />
+#    <EventRecordID>3067</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="4" ThreadID="9600" />
+#    <Channel>Microsoft-Windows-Kernel-PnP/Configuration</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="DeviceInstanceId">SWD\ScDeviceEnum\6_Windows_Hello_for_Business_1</Data>
+#    <Data Name="DriverName">c_swdevice.inf</Data>
+#    <Data Name="ClassGuid">62f9c741-b25a-46ce-b54c-9bccce08b6f2</Data>
+#    <Data Name="ServiceName"></Data>
+#    <Data Name="LowerFilters"></Data>
+#    <Data Name="UpperFilters"></Data>
+#    <Data Name="Problem">0x0</Data>
+#    <Data Name="Status">0x0</Data>
+#  </EventData>
+#</Event>

evtx/Maps/Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-Kernel-PnP_430.map

@@ -0,0 +1,39 @@
+Author: Andrew Rathbun
+Description: Device requires further installation
+EventId: 430
+Channel: "Microsoft-Windows-Kernel-PnP/Configuration"
+Provider: "Microsoft-Windows-Kernel-PnP"
+Maps: 
+- 
+    Property: PayloadData6
+    PropertyValue: "DeviceInstanceId: %DeviceInstanceId%"
+    Values: 
+      - 
+        Name: DeviceInstanceId
+        Value: "/Event/EventData/Data[@Name=\"DeviceInstanceId\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Kernel-PnP" Guid="9c455a39-1250-487d-abd7-e831c6290539" />
+#    <EventID>430</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x4000000090000000</Keywords>
+#    <TimeCreated SystemTime="2019-10-17 03:18:15.2790188" />
+#    <EventRecordID>3314</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="4" ThreadID="660" />
+#    <Channel>Microsoft-Windows-Kernel-PnP/Configuration</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="DeviceInstanceId">SWD\WPDBUSENUM\_??_USBSTOR#Disk&amp;amp;Ven_iDRAC&amp;amp;Prod_MAS001&amp;amp;Rev_0329#20120731&amp;amp;0#{53g76307-b6bf-11d0-94f2-00a0c13dfb8b}</Data>
+#  </EventData>
+#</Event>

evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_142.map

@@ -0,0 +1,68 @@
+Author: Andrew Rathbun
+Description: NTFS-formatted drive attached
+EventId: 142
+Channel: "Microsoft-Windows-Ntfs/Operational"
+Provider: "Microsoft-Windows-Ntfs"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "VolumeName: %VolumeName%"
+    Values:
+      -
+        Name: VolumeName
+        Value: "/Event/EventData/Data[@Name=\"VolumeName\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "IsBootVolume: %IsBootVolume%"
+    Values:
+      -
+        Name: IsBootVolume
+        Value: "/Event/EventData/Data[@Name=\"IsBootVolume\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "LowestFreeSpaceInBytes: %LowestFreeSpaceInBytes%"
+    Values:
+      -
+        Name: LowestFreeSpaceInBytes
+        Value: "/Event/EventData/Data[@Name=\"LowestFreeSpaceInBytes\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "HighestFreeSpaceInBytes: %HighestFreeSpaceInBytes%"
+    Values:
+      -
+        Name: HighestFreeSpaceInBytes
+        Value: "/Event/EventData/Data[@Name=\"HighestFreeSpaceInBytes\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# Free space and volume name of the attached drive can be derived from this event.
+# Events are created during the first connection since the startup. 
+# So if the user removes the drive and attaches it again no new logs are going to be made according to my investigation.
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Ntfs" Guid="3ff37a1c-a68d-43de-8c9b-f79e8b16c482" />
+#    <EventID>142</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x4000000000200900</Keywords>
+#    <TimeCreated SystemTime="2020-10-13 06:11:22.2517941" />
+#    <EventRecordID>385</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="4" ThreadID="27824" />
+#    <Channel>Microsoft-Windows-Ntfs/Operational</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data Name="VolumeGuid">6f349c04-b41a-4cb0-91bb-8c7742123937</Data>
+#    <Data Name="VolumeNameLength">48</Data>
+#    <Data Name="VolumeName">\\?\Volume{6f349c04-b41a-4cb0-91bb-8c7742123937}</Data>
+#    <Data Name="LowestFreeSpaceInBytes">132669440</Data>
+#    <Data Name="HighestFreeSpaceInBytes">132669440</Data>
+#    <Data Name="IsBootVolume">False</Data>
+#  </EventData>
+#</Event>

evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_145.map

@@ -0,0 +1,80 @@
+Author: Andrew Rathbun
+Description: NTFS-formatted drive attached
+EventId: 145
+Channel: "Microsoft-Windows-Ntfs/Operational"
+Provider: "Microsoft-Windows-Ntfs"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "VolumeName: %VolumeName%"
+    Values:
+      -
+        Name: VolumeName
+        Value: "/Event/EventData/Data[@Name=\"VolumeName\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "IsBootVolume: %IsBootVolume%"
+    Values:
+      -
+        Name: IsBootVolume
+        Value: "/Event/EventData/Data[@Name=\"IsBootVolume\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "VolumeCorrelationId: %VolumeCorrelationId%"
+    Values:
+      -
+        Name: VolumeCorrelationId
+        Value: "/Event/EventData/Data[@Name=\"VolumeCorrelationId\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# Events are created during the first connection since the startup. 
+# So if the user removes the drive and attaches it again no new logs are going to be made according to my investigation.
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Ntfs" Guid="3dd37a1c-a68d-4d6e-8c9b-f79e8b16c482" />
+#    <EventID>145</EventID>
+#    <Version>2</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x4000000000204000</Keywords>
+#    <TimeCreated SystemTime="2020-10-22 15:18:02.3775706" />
+#    <EventRecordID>4419</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="4" ThreadID="16500" />
+#    <Channel>Microsoft-Windows-Ntfs/Operational</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="VolumeCorrelationId">c679d0d4-1476-11eb-bad3-34f39ae13aac</Data>
+#    <Data Name="VolumeNameLength">0</Data>
+#    <Data Name="VolumeName"></Data>
+#    <Data Name="IsBootVolume">False</Data>
+#    <Data Name="MaxLatencyMs">30000</Data>
+#    <Data Name="ReadWriteLatencyBucket1">5000000</Data>
+#    <Data Name="ReadWriteLatencyBucket2">30000000</Data>
+#    <Data Name="ReadWriteLatencyBucket3">100000000</Data>
+#    <Data Name="ReadWriteLatencyBucket4">0</Data>
+#    <Data Name="ReadWriteLatencyBucket5">0</Data>
+#    <Data Name="ReadWriteLatencyBucket6">0</Data>
+#    <Data Name="ReadWriteLatencyBucket7">0</Data>
+#    <Data Name="TrimLatencyBucket1">10000000</Data>
+#    <Data Name="TrimLatencyBucket2">50000000</Data>
+#    <Data Name="TrimLatencyBucket3">100000000</Data>
+#    <Data Name="TrimLatencyBucket4">0</Data>
+#    <Data Name="TrimLatencyBucket5">0</Data>
+#    <Data Name="TrimLatencyBucket6">0</Data>
+#    <Data Name="TrimLatencyBucket7">0</Data>
+#    <Data Name="FlushLatencyBucket1">10000000</Data>
+#    <Data Name="FlushLatencyBucket2">50000000</Data>
+#    <Data Name="FlushLatencyBucket3">100000000</Data>
+#    <Data Name="FlushLatencyBucket4">0</Data>
+#    <Data Name="FlushLatencyBucket5">0</Data>
+#    <Data Name="FlushLatencyBucket6">0</Data>
+#    <Data Name="FlushLatencyBucket7">0</Data>
+#  </EventData>
+#</Event>

evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map

@@ -24,7 +24,7 @@ Lookups:
     Default: Unknown code
     Values:
         0: No additional information is available (i.e. the user has closed RDP window)
-        5: The client�s connection was replaced by another connection (i.e. a user reconected to a previous RDP session)
+        5: The client�s connection was replaced by another connection (i.e. a user reconnected to a previous RDP session)
         11: User activity has initiated the disconnect
 
 # Documentation: