diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
index e8ca9f65..dee17864 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
@@ -42,6 +42,10 @@ Maps:
# Documentation:
# https://www.cecyf.fr/wp-content/uploads/2018/01/2018-CELTON-DELAHAYE-Analyse-des-jobs-BITS.pdf
# https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm#SuccessCondition
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
#
# Example Event Data:
#
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
index 82f999dc..01b53044 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -4,42 +4,49 @@ EventId: 4
Channel: Microsoft-Windows-Bits-Client/Operational
Provider: Microsoft-Windows-Bits-Client
Maps:
- -
+ -
Property: UserName
- PropertyValue: "jobOwner: %jobOwner%%string2%"
+ PropertyValue: "%User%"
Values:
-
- Name: jobOwner
+ Name: User
Value: "/Event/EventData/Data[@Name=\"User\"]"
- -
+ -
Property: PayloadData1
PropertyValue: "jobTitle: %jobTitle%"
Values:
-
Name: jobTitle
Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
- -
+ -
Property: PayloadData2
PropertyValue: "jobId: %jobId%"
Values:
-
Name: jobId
Value: "/Event/EventData/Data[@Name=\"jobId\"]"
- -
+ -
Property: PayloadData3
PropertyValue: "fileCount: %fileCount%"
Values:
-
Name: fileCount
Value: "/Event/EventData/Data[@Name=\"fileCount\"]"
- -
+ -
+ Property: PayloadData4
+ PropertyValue: "Bytes jobOwner: %jobOwner%"
+ Values:
+ -
+ Name: jobOwner
+ Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
+ -
Property: PayloadData5
PropertyValue: "Bytes Transferred: %bytesTransferred%"
Values:
-
Name: bytesTransferred
Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]"
- -
+ -
Property: PayloadData6
PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
Values:
@@ -49,33 +56,37 @@ Maps:
# Documentation:
# https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
#
# Example Event Data:
#
- #
- #
- # 4
- # 1
- # 4
- # 0
- # 0
- # 0x4000000000000000
- #
- # 2778
- #
- #
- # Microsoft-Windows-Bits-Client/Operational
- # MSEDGEWIN10
- #
- #
- #
- # MSEDGEWIN10\IEUser
- # Download LockScreen Image
- # ff819706-9ff9-490b-ade5-b069232c5d23
- # MSEDGEWIN10\IEUser
- # 1
- # 162791
- # 0
- #
-#
+#
+#
+# 4
+# 1
+# 4
+# 0
+# 0
+# 0x4000000000000000
+#
+# 2778
+#
+#
+# Microsoft-Windows-Bits-Client/Operational
+# MSEDGEWIN10
+#
+#
+#
+# MSEDGEWIN10\IEUser
+# Download LockScreen Image
+# ff819706-9ff9-490b-ade5-b069232c5d23
+# MSEDGEWIN10\IEUser
+# 1
+# 162791
+# 0
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
new file mode 100644
index 00000000..4b08ca97
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
@@ -0,0 +1,75 @@
+Author: Andrew Rathbun
+Description: BITS job cancellation
+EventId: 5
+Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
+Maps:
+ -
+ Property: UserName
+ PropertyValue: "%User%"
+ Values:
+ -
+ Name: User
+ Value: "/Event/EventData/Data[@Name=\"User\"]"
+ -
+ Property: PayloadData1
+ PropertyValue: "jobTitle: %jobTitle%"
+ Values:
+ -
+ Name: jobTitle
+ Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "jobId: %jobId%"
+ Values:
+ -
+ Name: jobId
+ Value: "/Event/EventData/Data[@Name=\"jobId\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "fileCount: %fileCount%"
+ Values:
+ -
+ Name: fileCount
+ Value: "/Event/EventData/Data[@Name=\"fileCount\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "Bytes jobOwner: %jobOwner%"
+ Values:
+ -
+ Name: jobOwner
+ Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
+
+# Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
+#
+# Example Event Data:
+#
+#
+#
+# 5
+# 0
+# 4
+# 0
+# 0
+# 0x4000060000000000
+#
+# 651942
+#
+#
+# Microsoft-Windows-Bits-Client/Operational
+# HOSTNAME.domain.com
+#
+#
+#
+# NT AUTHORITY\SYSTEM
+# CCM Message Upload {5F4D139A-8476-4FFB-BDCC-0A61ARDE528F}
+# 2679aae7-d9d0-4a03-b110-87eb72619f87
+# NT AUTHORITY\SYSTEM
+# 1
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map
index d6d446bd..641b4c49 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map
@@ -55,7 +55,8 @@ Maps:
# https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
-# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734713(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
#
# Example Event Data:
#
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
index 33c24edd..70bf1959 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
@@ -55,43 +55,44 @@ Maps:
# https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
-# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734635(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
#
# Example Event Data:
-#
-#
-#
-# 60
-# 1
-# 4
-# 0
-# 2
-# 0x4000000800000000
-#
-# 1532
-#
-#
-# Microsoft-Windows-Bits-Client/Operational
-# HOSTNAME
-#
-#
-#
-# 76052606-f8ef-40f3-853b-9d3725e4b2f7
-# UpdateXml
-# f4ecc13b-4421-48a3-8766-4b987a0e5995
-# https://g.live.com/123rewlive5skydrive/OneDriveProduction?OneDriveUpdate=f37fd774d9b58ea48d76eacfee1e
-#
-# 0
-# 2020-11-23 20:04:21.0000000
-# 993
-# 993
-# 993
-#
-# 0
-# 0
-# 0
-# 0
-# 18446749973709551615
-# False
-#
-#
+#
+#
+#
+# 60
+# 1
+# 4
+# 0
+# 2
+# 0x4000000800000000
+#
+# 1532
+#
+#
+# Microsoft-Windows-Bits-Client/Operational
+# HOSTNAME
+#
+#
+#
+# 76052606-f8ef-40f3-853b-9d3725e4b2f7
+# UpdateXml
+# f4ecc13b-4421-48a3-8766-4b987a0e5995
+# https://g.live.com/123rewlive5skydrive/OneDriveProduction?OneDriveUpdate=f37fd774d9b58ea48d76eacfee1e
+#
+# 0
+# 2020-11-23 20:04:21.0000000
+# 993
+# 993
+# 993
+#
+# 0
+# 0
+# 0
+# 0
+# 18446749973709551615
+# False
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
new file mode 100644
index 00000000..a657d696
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
@@ -0,0 +1,98 @@
+Author: Andrew Rathbun
+Description: BITS transfer has stopped
+EventId: 61
+Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "jobTitle: %jobTitle%"
+ Values:
+ -
+ Name: jobTitle
+ Value: "/Event/EventData/Data[@Name=\"name\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "jobId: %jobId%"
+ Values:
+ -
+ Name: jobId
+ Value: "/Event/EventData/Data[@Name=\"Id\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "URL: %url%"
+ Values:
+ -
+ Name: url
+ Value: "/Event/EventData/Data[@Name=\"url\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "Peer: %peer%"
+ Values:
+ -
+ Name: peer
+ Value: "/Event/EventData/Data[@Name=\"peer\"]"
+ -
+ Property: PayloadData5
+ PropertyValue: "Total Bytes: %bytesTotal% (Transferred: %bytesTransferred%)"
+ Values:
+ -
+ Name: bytesTotal
+ Value: "/Event/EventData/Data[@Name=\"bytesTotal\"]"
+ -
+ Name: bytesTransferred
+ Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]"
+ -
+ Property: PayloadData6
+ PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
+ Values:
+ -
+ Name: bytesTransferredFromPeer
+ Value: "/Event/EventData/Data[@Name=\"bytesTransferredFromPeer\"]"
+
+# Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_60_Microsoft-Windows-Bits-Client_64110.asp
+# https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+#
+# Example Event Data:
+#
+#
+#
+# 61
+# 1
+# 3
+# 0
+# 2
+# 0x4000030000000000
+#
+# 667991
+#
+#
+# Microsoft-Windows-Bits-Client/Operational
+# HOSTNAME.domain.com
+#
+#
+#
+# 2567a913-0e06-4ef0-944f-2c9ec57ec669
+# CCM Message Upload {0D7FE3C1-810E-43BF-98F3-6BFED5837B6C}
+# f3642209-4ea2-4ea9-b502-8320d93f45f0
+# http://HOSTNAME.comain.com:80/CCM_Incoming/{0D7FE3C1-810E-43BF-98F3-6BFABCDEFB6C}
+#
+# 246579813
+# 2020-08-07 01:03:05.5210175
+# 18440244073709551615
+# 189658
+# 0
+#
+# 0
+# 0
+# 0
+# 0
+# 18446744073709551615
+# False
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map
new file mode 100644
index 00000000..3143767b
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map
@@ -0,0 +1,50 @@
+Author: Andrew Rathbun
+Description: Microsoft-Windows-DeviceSetupManager service starting
+EventId: 100
+Channel: "Microsoft-Windows-DeviceSetupManager/Admin"
+Provider: "Microsoft-Windows-DeviceSetupManager"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "Prop_UpTime_Seconds: %Prop_UpTime_Seconds%"
+ Values:
+ -
+ Name: Prop_UpTime_Seconds
+ Value: "/Event/EventData/Data[@Name=\"Prop_UpTime_Seconds\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "Prop_WorkTime_MilliSeconds: %Prop_WorkTime_MilliSeconds%"
+ Values:
+ -
+ Name: Prop_WorkTime_MilliSeconds
+ Value: "/Event/EventData/Data[@Name=\"Prop_WorkTime_MilliSeconds\"]"
+
+# Documentation:
+# https://cyberforensicator.com/wp-content/uploads/2017/09/USB-Storage-Device-Forensics-for-Windows-10.pdf
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# https://www.swiftforensics.com/2013/11/event-log-entries-for-devices-in.html
+# This event directly precedes a 112 event.
+#
+# Example Event Data:
+#
+#
+#
+# 100
+# 0
+# 4
+# 0
+# 0
+# 0x4000000040000000
+#
+# 2098
+#
+#
+# Microsoft-Windows-DeviceSetupManager/Admin
+# HOSTNAME.domain.com
+#
+#
+#
+# 0
+# 71534
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map
new file mode 100644
index 00000000..203acb7f
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map
@@ -0,0 +1,49 @@
+Author: Andrew Rathbun
+Description: Microsoft-Windows-DeviceSetupManager service shutting down
+EventId: 101
+Channel: "Microsoft-Windows-DeviceSetupManager/Admin"
+Provider: "Microsoft-Windows-DeviceSetupManager"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "Prop_UpTime_Seconds: %Prop_UpTime_Seconds%"
+ Values:
+ -
+ Name: Prop_UpTime_Seconds
+ Value: "/Event/EventData/Data[@Name=\"Prop_UpTime_Seconds\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "Prop_WorkTime_MilliSeconds: %Prop_WorkTime_MilliSeconds%"
+ Values:
+ -
+ Name: Prop_WorkTime_MilliSeconds
+ Value: "/Event/EventData/Data[@Name=\"Prop_WorkTime_MilliSeconds\"]"
+
+# Documentation:
+# https://cyberforensicator.com/wp-content/uploads/2017/09/USB-Storage-Device-Forensics-for-Windows-10.pdf
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# https://www.swiftforensics.com/2013/11/event-log-entries-for-devices-in.html
+# This event directly follows a 112 event.
+#
+#
+#
+#
+# 101
+# 0
+# 4
+# 0
+# 0
+# 0x4000000000500000
+#
+# 1234
+#
+#
+# Microsoft-Windows-DeviceSetupManager/Admin
+# HOSTNAME.domain.com
+#
+#
+#
+# 172
+# 51849
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map b/evtx/Maps/Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map
new file mode 100644
index 00000000..54b8a585
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map
@@ -0,0 +1,83 @@
+Author: Andrew Rathbun
+Description: Completing a failed non-ReadWrite SCSI SRB request
+EventId: 507
+Channel: "Microsoft-Windows-Storage-ClassPnP/Operational"
+Provider: "Microsoft-Windows-StorDiag"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "DeviceGUID: %DeviceGUID%"
+ Values:
+ -
+ Name: DeviceGUID
+ Value: "/Event/EventData/Data[@Name=\"DeviceGUID\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "Vendor: %Vendor%"
+ Values:
+ -
+ Name: Vendor
+ Value: "/Event/EventData/Data[@Name=\"Vendor\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "Model: %Model%"
+ Values:
+ -
+ Name: Model
+ Value: "/Event/EventData/Data[@Name=\"Model\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "SerialNumber: %SerialNumber%"
+ Values:
+ -
+ Name: SerialNumber
+ Value: "/Event/EventData/Data[@Name=\"SerialNumber\"]"
+ -
+ Property: PayloadData5
+ PropertyValue: "FirmwareVersion: %FirmwareVersion%"
+ Values:
+ -
+ Name: FirmwareVersion
+ Value: "/Event/EventData/Data[@Name=\"FirmwareVersion\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# https://www.mcbsys.com/blog/2016/08/stordiag-errors-after-windows-10-upgrade/
+# https://www.windowsphoneinfo.com/threads/event-507-completing-a-failed-non-readwrite-scsi-srb-request.275718/
+#
+# Example Event Data:
+#
+#
+#
+# 507
+# 1
+# 2
+# 200
+# 101
+# 0x800000038000000
+#
+# 2
+#
+#
+# Microsoft-Windows-Storage-ClassPnP/Operational
+# HOSTNAME
+#
+#
+#
+# 3c1723fd-1386-004c-ea45-358679129f24
+# 3
+# Msft
+# Virtual Disk
+# 1.0
+# NULL
+# 0xC0000185
+# 4
+# 2
+# 0
+# 0
+# 0
+# 10
+# 35-00-00-00-00-00-00-00-00-00
+# 5
+#
+#