1006 - added Location to the map: if a VHD/ISO is mounted with Explorer, this field contains the full path of the file. Executable Info was the only free remaining column that could be used. I provided an additional example event.
4624 - added AuthenticationPackageNameand LogonProcessName: they can be useful for quickly finding NTLM or Kerberos authentications.
4648 - added TargetInfo: when a TargetServerName is accessed via SMB, it contains the value cifs/TargetServerName.
30807 - added lookups for Status codes. I retrieved the SMB::StatusCode values/descriptions from the Zeek project. Documentation updated.
Checklist:
Please replace every instance of [ ] with [X] OR click on the checkboxes after you submit your PR
[ ] I have ensured a Provider is listed for the new Map(s) being submitted
[ ] I have ensured the filename(s) of any new Map(s) being submitted follows the approved format, i.e. Channel-Name_Provider-Name_EventID.map. In summary, all spaces and special characters are replaced with a hyphen with an underscore separates Channel Name, Provider Name, and Event ID
[X] I have tested and validated the new Map(s) work with my test data and achieve the desired output
[X] I have provided example event data (# Example Event Data:) at the bottom of my Map(s), if possible
[ ] I have consulted the Guide/Template to ensure my Map(s) follow the same format
Thank you for your submission and for contributing to the DFIR community!
Description
Locationto the map: if a VHD/ISO is mounted with Explorer, this field contains the full path of the file.Executable Infowas the only free remaining column that could be used. I provided an additional example event.AuthenticationPackageNameandLogonProcessName: they can be useful for quickly finding NTLM or Kerberos authentications.TargetInfo: when aTargetServerNameis accessed via SMB, it contains the valuecifs/TargetServerName.CountOfCredentialsReturnedandActivityIDStatuscodes. I retrieved the SMB::StatusCode values/descriptions from the Zeek project. Documentation updated.Checklist:
Please replace every instance of
[ ]with[X]OR click on the checkboxes after you submit your PRProvideris listed for the new Map(s) being submittedChannel-Name_Provider-Name_EventID.map. In summary, all spaces and special characters are replaced with a hyphen with an underscore separates Channel Name, Provider Name, and Event ID# Example Event Data:) at the bottom of my Map(s), if possibleThank you for your submission and for contributing to the DFIR community!