updates

keydet89 · Jan 18, 2018 · 98a538b · 98a538b
1 parent 7176ea0
commit 98a538b
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/exe/eventmap.txt b/exe/eventmap.txt
@@ -12,6 +12,12 @@ Microsoft-Windows-Security-Auditing/5143:[Network share object modified]
 Microsoft-Windows-Security-Auditing/5144:[Network share object deleted]
 Microsoft-Windows-Security-Auditing/5168:[SPN check for SMB/SMB2 failed]
 
+Microsoft-Windows-Security-Auditing/4674:[Priv_Obj_Attempt]
+
+#
+# 
+# https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=63&EvtSrc=WinMgmt&LCID=1033
+WinMgmt/63:[ALERT]
 
 #
 # ref: http://technet.microsoft.com/en-us/library/ee891289(v=ws.10).aspx
@@ -68,6 +74,15 @@ Microsoft-Windows-TaskScheduler/201:[Action Success]
 Microsoft-Windows-TaskScheduler/140:[Task Mod]
 Microsoft-Windows-TaskScheduler/141:[Task Del]
 
+# TaskScheduler backward compatibility
+# Saw a bad guy create a SchedTask for a long-running process (RAT), then deleted the task after it was running.
+# Almost exactly 72 hrs later, the TaskScheduler balked and generated a 7xx level event record, stating that it 
+# couldn't update the backward compatible .job file
+#
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd363614(v%3dws.10)
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd315728(v%3dws.10)
+Microsoft-Windows-TaskScheduler/709:[Task BKWD]
+
 # Added based on threat actor activity
 # https://technet.microsoft.com/en-us/library/cc774959(v=ws.10).aspx
 Microsoft-Windows-TaskScheduler/706:[Task Update FAIL]
@@ -90,6 +105,13 @@ Microsoft-Windows-TerminalServices-RemoteConnectionManager/1146:[Session Start]
 Microsoft-Windows-TerminalServices-RemoteConnectionManager/1147:[Logon]
 Microsoft-Windows-TerminalServices-RemoteConnectionManager/1149:[Logon]
 
+
+# https://technet.microsoft.com/en-us/library/cc734254(v=ws.10).aspx
+# Note: this event has been observed when ransomware attempts to delete 
+#   VSCs, but infected user profile does not have necessary privileges.
+# Record Data contains command, encoded as hex (conver to ASCII)
+VSS/13:[VSS Fail]
+
 VSS/8224:[VSS Shutdown]
 VSS/8225:[VSS Shutdown via SCM]
 # 

diff --git a/exe/evtxparse.exe b/exe/evtxparse.exe
diff --git a/source/evtxparse.pl b/source/evtxparse.pl
@@ -58,7 +58,7 @@ sub processLogLine {
 
 	if (scalar(@data) >= 1 && $data[0] =~ m/^\d+,\d+/) {
 		$line = join('|',@data);
-		my ($num,$date,$id,$source,$strings) = split(/,/,$line,5);
+		my ($num,$date,$id,$source,$server,$sid,$strings) = split(/,/,$line,7);
 		my $epoch = getEpoch($date);		
 		$strings =~ s/\|/,/g;
 		my $descr;
@@ -68,7 +68,7 @@ sub processLogLine {
 		else {
 			$descr = $source."/".$id.";".$strings;
 		}
-		print $epoch."|EVTX|Server||".$descr."\n";
+		print $epoch."|EVTX|".$server."||".$descr."\n";
 	}
 }