Closed AndrewRathbun closed 3 years ago
Another idea for maps, if you can find/produce examples of the events.
Many useful evtx samples related to different attacks can be found here: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
I'll have a look at the Tool Analysis Result Sheet and see what I can do.
Many useful evtx samples related to different attacks can be found here: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
I'll have a look at the Tool Analysis Result Sheet and see what I can do.
Oh yes. That's where I got the sample events for most of the Sysmon logs. Ultimate Windows Security had me covered on the rest.
Thanks for chipping in as you see fit!
Many useful evtx samples related to different attacks can be found here: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
I'll have a look at the Tool Analysis Result Sheet and see what I can do.
This morning, I've been going through the CSV output of parsing this entire directory, sorting on blank Map Description, and then filtering on Security, for instance, and just going down the line and creating maps one by one. That's been a pretty effective way to go about it so far, I've found.
I've seen a lot of updates going on today! I'm using your same methodology 👍
I guess LogonIDs should have a dedicated Property (like UserName or ExecutableInfo), otherwise they keep being mapped to different columns making them less effective as a filter with TLE.
Add them into the username field when they exist.
Username (login ID)
I've seen a lot of updates going on today! I'm using your same methodology 👍
I guess LogonIDs should have a dedicated Property (like UserName or ExecutableInfo), otherwise they keep being mapped to different columns making them less effective as a filter with TLE.
When we're done with getting more maps created, I do want to take a step back and try to get a bigger picture look at what information is being mapped where. I want to avoid a user's SID being sprayed in all columns throughout all the maps and try to minimize the hopping from column to column for the same info. I tried to do this with the Sysmon logs where if you filtered just on Sysmon you'd hopefully see a lot of the same info stored in one column, rarely two. Different events record different things, of course, but Security events have lots of similar info stored in them so maybe the long term goal is a loose standardization by Channel/Provider grouping. So all Sysmon try to be as uniform as possible, when applicable, Microsoft-Windows-Security-Auditing tries to do the same, etc.
I really want to avoid adding another 10 columns because then things start becoming empty for maps where those dedicated columns can't be filled.
Add them into the username field when they exist.
Username (login ID)
Thanks for the suggestion, but I'll try not to do it. I don't want to flood that field with hundreds of username variations.
I really want to avoid adding another 10 columns because then things start becoming empty for maps where those dedicated columns can't be filled.
I totally get that. I'm more referring to the PayloadData columns and what information is currently mapped within the existing columns. I think only once in all the maps I've put together did I wish I had a PayloadData7 column. So I think we are good there.
For example, I'm more talking about SID being mapped to PD1 for one map, PD2 for another map, attached to Domain/user (SID) in some, etc. I think keeping it standardized within a Channel/Provider grouping makes the most sense since standardizing it across all maps/Channels would be a) impossible and b) way too hard to do given the various Channels and Providers and what data is stored for each.
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events 👍
Nice link! I'll use this as well. I do most of my map making on weekends. Thanks for all of the help so far!
@hyuunnn that link has been very helpful. Thankfully, Microsoft has a lot of examples of these events on their documentation site.
The new Sysmon 24 (Clipboard Contents) and 25 (ProcessTampering) events were added. Still working through the links posted here. I'm also working on a spreadsheet to see where things are currently mapped in each column so down the road we can have cleaner output. That's a longer term goal, though. Still adding maps in the meantime to flesh out those that could potentially be relevant during an incident.
Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt
Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt
Thanks for doing this. The only way I could tweak is to have a .evtx file with this exact event in it. Do you have one you can share? Also, you're welcome to do a PR yourself.
Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt
Thanks for doing this. The only way I could tweak is to have a .evtx file with this exact event in it. Do you have one you can share? Also, you're welcome to do a PR yourself.
Hi @rathbuna, I do not have one that is sterilized at this time but can get one when time permits. Is there any functionality to wildcard in the "Provider:" field in the maps? ScreenConnect adds a thumbprint value (16 numbers/letters) to the provider field. Example. Provider: ScreenConnect Client (4f1287b1262a719e)
Created a rough map for ScreenConnect events from the Application.evtx to help with Map Description filtering. Feel free to tweak and add to the existing Maps. Application_ScreenConnect-Client_0.txt
Thanks for doing this. The only way I could tweak is to have a .evtx file with this exact event in it. Do you have one you can share? Also, you're welcome to do a PR yourself.
Hi @rathbuna, I do not have one that is sterilized at this time but can get one when time permits. Is there any functionality to wildcard in the "Provider:" field in the maps? ScreenConnect adds a thumbprint value (16 numbers/letters) to the provider field. Example. Provider: ScreenConnect Client (4f1287b1262a719e)
I think I've noticed this before as well. That's something for @EricZimmerman to chime in on.
https://github.com/stuhli/awesome-event-ids new link :)
cant we just do multiple maps, one per provider? (assuming this is still an issue)
https://github.com/stuhli/awesome-event-ids new link :)
Thanks for the link, just did a PR to add a link to the Maps directory on this repo.
Also, new Map Ideas should go here: https://github.com/EricZimmerman/evtx/projects/1
Closing this since we have this project board now
@hyuunnn @forensenellanebbia and anyone else looking for something to contribute. I want to make sure all the events covered in the link below have maps. These are very common attackers TTPs so the goal is to have the Map Description and as much relevant information mapped out so these events are not overlooked.
https://jpcertcc.github.io/ToolAnalysisResultSheet/
It's simple enough to find an event the site lists for a specific tool and cross reference to see if a map already exists. We also need to make sure this site is listed in Documentation for any event maps that it covers, which is probably a lot of them, but that can happen over time.
I'm always looking for new maps to create but this project should at least give some direction until they are all covered. Not that the maps that've been added lately don't add value, but I figure it might be smart to make sure the ones this project identified as having recorded information relating to common attacker TTPs are covered.