From dab94aefeb0852f8c9ee8c4eaca8a9683648a5ca Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 07:52:22 -0500
Subject: [PATCH 01/15] Update BITS Documentation

---
 ...Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map | 3 +++
 ...Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map | 3 +++
 ...its-Client-Operational_Microsoft-Windows-Bits-Client_59.map | 3 ++-
 ...its-Client-Operational_Microsoft-Windows-Bits-Client_60.map | 3 ++-
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
index e8ca9f65..51f61641 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
@@ -42,6 +42,9 @@ Maps:
 # Documentation:
 # https://www.cecyf.fr/wp-content/uploads/2018/01/2018-CELTON-DELAHAYE-Analyse-des-jobs-BITS.pdf
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm#SuccessCondition
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:
 # <Event>
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
index 82f999dc..41d23991 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -49,6 +49,9 @@ Maps:
         
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:
 # <Event>
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map
index d6d446bd..641b4c49 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map
@@ -55,7 +55,8 @@ Maps:
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 # https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
-# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734713(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
 #
 # Example Event Data:
 #<Event>
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
index 33c24edd..f2bacfa4 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
@@ -55,7 +55,8 @@ Maps:
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 # https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
-# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734635(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
 #
 # Example Event Data:
 #<Event>

From a4b1220e9408c7de673f7438538d59fc6b10a811 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 07:59:56 -0500
Subject: [PATCH 02/15] Create
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map

---
 ...ional_Microsoft-Windows-Bits-Client_61.map | 98 +++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
new file mode 100644
index 00000000..89f9587d
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
@@ -0,0 +1,98 @@
+Author: Andrew Rathbun
+Description: BITS transfer has stopped
+EventId: 61
+Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
+Maps:
+   -
+    Property: PayloadData1
+    PropertyValue: "jobTitle: %jobTitle%"
+    Values: 
+      - 
+        Name: jobTitle
+        Value: "/Event/EventData/Data[@Name=\"name\"]"
+   -
+    Property: PayloadData2
+    PropertyValue: "jobId: %jobId%"
+    Values: 
+      - 
+        Name: jobId
+        Value: "/Event/EventData/Data[@Name=\"Id\"]"
+   -
+    Property: PayloadData3
+    PropertyValue: "URL: %url%"
+    Values: 
+      - 
+        Name: url
+        Value: "/Event/EventData/Data[@Name=\"url\"]"
+   -
+    Property: PayloadData4
+    PropertyValue: "Peer: %peer%"
+    Values: 
+      - 
+        Name: peer
+        Value: "/Event/EventData/Data[@Name=\"peer\"]"     
+   -
+    Property: PayloadData5
+    PropertyValue: "Total Bytes: %bytesTotal% (Transferred: %bytesTransferred%)"
+    Values: 
+      - 
+        Name: bytesTotal
+        Value: "/Event/EventData/Data[@Name=\"bytesTotal\"]" 
+      - 
+        Name: bytesTransferred
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]" 
+   -
+    Property: PayloadData6
+    PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
+    Values: 
+      - 
+        Name: bytesTransferredFromPeer
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferredFromPeer\"]" 
+
+# Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_60_Microsoft-Windows-Bits-Client_64110.asp
+# https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1dd15b-46c1-414e-bb95-e76b077bd51e" />
+#    <EventID>61</EventID>
+#    <Version>1</Version>
+#    <Level>3</Level>
+#    <Task>0</Task>
+#    <Opcode>2</Opcode>
+#    <Keywords>0x4000030000000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-03 11:01:54.6903229" />
+#    <EventRecordID>667991</EventRecordID>
+#    <Correlation ActivityID="2577e913-0e06-4ef0-944f-2c9ec57ec669" />
+#    <Execution ProcessID="679" ThreadID="2648" />
+#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="transferId">2567a913-0e06-4ef0-944f-2c9ec57ec669</Data>
+#    <Data Name="name">CCM Message Upload {0D7FE3C1-810E-43BF-98F3-6BFED5837B6C}</Data>
+#    <Data Name="Id">f3642209-4ea2-4ea9-b502-8320d93f45f0</Data>
+#    <Data Name="url">http://HOSTNAME.comain.com:80/CCM_Incoming/{0D7FE3C1-810E-43BF-98F3-6BFABCDEFB6C}</Data>
+#    <Data Name="peer"></Data>
+#    <Data Name="hr">246579813</Data>
+#    <Data Name="fileTime">2020-08-07 01:03:05.5210175</Data>
+#    <Data Name="fileLength">18440244073709551615</Data>
+#    <Data Name="bytesTotal">189658</Data>
+#    <Data Name="bytesTransferred">0</Data>
+#    <Data Name="proxy"></Data>
+#    <Data Name="peerProtocolFlags">0</Data>
+#    <Data Name="bytesTransferredFromPeer">0</Data>
+#    <Data Name="AdditionalInfoHr">0</Data>
+#    <Data Name="PeerContextInfo">0</Data>
+#    <Data Name="bandwidthLimit">18446744073709551615</Data>
+#    <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
+#  </EventData>
+#</Event>

From c49afb7f951e47d44fa541f2a44185fc5f728cf2 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:04:51 -0500
Subject: [PATCH 03/15] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map

---
 ...its-Client-Operational_Microsoft-Windows-Bits-Client_4.map | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
index 41d23991..1c5a8f90 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -6,11 +6,11 @@ Provider: Microsoft-Windows-Bits-Client
 Maps:
    -
     Property: UserName
-    PropertyValue: "jobOwner: %jobOwner%%string2%"
+    PropertyValue: "jobOwner: %jobOwner%"
     Values: 
       - 
         Name: jobOwner
-        Value: "/Event/EventData/Data[@Name=\"User\"]"
+        Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
    -
     Property: PayloadData1
     PropertyValue: "jobTitle: %jobTitle%"

From 8e9758c0e566d91154938ab38f0bfc6f41710724 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:13:58 -0500
Subject: [PATCH 04/15] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map

---
 ...-Operational_Microsoft-Windows-Bits-Client_4.map | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
index 1c5a8f90..3651fd73 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -6,11 +6,11 @@ Provider: Microsoft-Windows-Bits-Client
 Maps:
    -
     Property: UserName
-    PropertyValue: "jobOwner: %jobOwner%"
+    PropertyValue: "%User%"
     Values: 
       - 
-        Name: jobOwner
-        Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
    -
     Property: PayloadData1
     PropertyValue: "jobTitle: %jobTitle%"
@@ -32,6 +32,13 @@ Maps:
       - 
         Name: fileCount
         Value: "/Event/EventData/Data[@Name=\"fileCount\"]" 
+-
+    Property: PayloadData4
+    PropertyValue: "Bytes jobOwner: %jobOwner%"
+    Values: 
+      - 
+        Name: jobOwner
+        Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
    -
     Property: PayloadData5
     PropertyValue: "Bytes Transferred: %bytesTransferred%"

From 0e015ee215caae0543a339444071dc239dc841e7 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:14:19 -0500
Subject: [PATCH 05/15] Create
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map

---
 ...tional_Microsoft-Windows-Bits-Client_5.map | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
new file mode 100644
index 00000000..398661e7
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
@@ -0,0 +1,74 @@
+Author: Andrew Rathbun
+Description: BITS job cancellation
+EventId: 5
+Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
+Maps:
+-
+    Property: UserName
+    PropertyValue: "%User%"
+    Values: 
+      - 
+        Name: User
+        Value: "/Event/EventData/Data[@Name=\"User\"]"
+   -
+    Property: PayloadData1
+    PropertyValue: "jobTitle: %jobTitle%"
+    Values: 
+      - 
+        Name: jobTitle
+        Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
+   -
+    Property: PayloadData2
+    PropertyValue: "jobId: %jobId%"
+    Values: 
+      - 
+        Name: jobId
+        Value: "/Event/EventData/Data[@Name=\"jobId\"]"
+   -
+    Property: PayloadData3
+    PropertyValue: "fileCount: %fileCount%"
+    Values: 
+      - 
+        Name: fileCount
+        Value: "/Event/EventData/Data[@Name=\"fileCount\"]" 
+  -
+    Property: PayloadData4
+    PropertyValue: "Bytes jobOwner: %jobOwner%"
+    Values: 
+      - 
+        Name: jobOwner
+        Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
+        
+# Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
+# https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
+# https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1aa15b-46c1-414e-bb95-e76b077bd51e" />
+#    <EventID>5</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x4000060000000000</Keywords>
+#    <TimeCreated SystemTime="2020-09-27 13:50:51.9617212" />
+#    <EventRecordID>651942</EventRecordID>
+#    <Correlation ActivityID="41f524a4-9411-0001-322a-f5411194d601" />
+#    <Execution ProcessID="916" ThreadID="680" />
+#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="User">NT AUTHORITY\SYSTEM</Data>
+#    <Data Name="jobTitle">CCM Message Upload {5F4D139A-8476-4FFB-BDCC-0A61ARDE528F}</Data>
+#    <Data Name="jobId">2679aae7-d9d0-4a03-b110-87eb72619f87</Data>
+#    <Data Name="jobOwner">NT AUTHORITY\SYSTEM</Data>
+#    <Data Name="fileCount">1</Data>
+#  </EventData>
+#</Event>

From fb2d50785c095c0bf8fcfd360253aabaa21a0e01 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:14:24 -0500
Subject: [PATCH 06/15] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map

---
 ...-Operational_Microsoft-Windows-Bits-Client_61.map | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
index 89f9587d..9e26ba81 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
@@ -4,35 +4,35 @@ EventId: 61
 Channel: Microsoft-Windows-Bits-Client/Operational
 Provider: Microsoft-Windows-Bits-Client
 Maps:
-   -
+  -
     Property: PayloadData1
     PropertyValue: "jobTitle: %jobTitle%"
     Values: 
       - 
         Name: jobTitle
         Value: "/Event/EventData/Data[@Name=\"name\"]"
-   -
+  -
     Property: PayloadData2
     PropertyValue: "jobId: %jobId%"
     Values: 
       - 
         Name: jobId
         Value: "/Event/EventData/Data[@Name=\"Id\"]"
-   -
+  -
     Property: PayloadData3
     PropertyValue: "URL: %url%"
     Values: 
       - 
         Name: url
         Value: "/Event/EventData/Data[@Name=\"url\"]"
-   -
+  -
     Property: PayloadData4
     PropertyValue: "Peer: %peer%"
     Values: 
       - 
         Name: peer
         Value: "/Event/EventData/Data[@Name=\"peer\"]"     
-   -
+  -
     Property: PayloadData5
     PropertyValue: "Total Bytes: %bytesTotal% (Transferred: %bytesTransferred%)"
     Values: 
@@ -42,7 +42,7 @@ Maps:
       - 
         Name: bytesTransferred
         Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]" 
-   -
+  -
     Property: PayloadData6
     PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
     Values: 

From c12ce8847462aed38c3a5d6aa38e5071363cd799 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:20:00 -0500
Subject: [PATCH 07/15] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map

---
 ...tional_Microsoft-Windows-Bits-Client_4.map | 52 +++++++++----------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
index 3651fd73..a67499b0 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -62,30 +62,30 @@ Maps:
 #
 # Example Event Data:
 # <Event>
-  # <System>
-    # <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1cc15b-46c1-414e-bb95-e76b077bd51e" />
-    # <EventID>4</EventID>
-    # <Version>1</Version>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Opcode>0</Opcode>
-    # <Keywords>0x4000000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-07-03 08:55:51.3562594" />
-    # <EventRecordID>2778</EventRecordID>
-    # <Correlation />
-    # <Execution ProcessID="1556" ThreadID="4812" />
-    # <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
-    # <Computer>MSEDGEWIN10</Computer>
-    # <Security UserID="S-1-5-18" />
-  # </System>
-  # <EventData>
-    # <Data Name="User">MSEDGEWIN10\IEUser</Data>
-    # <Data Name="jobTitle">Download LockScreen Image</Data>
-    # <Data Name="jobId">ff819706-9ff9-490b-ade5-b069232c5d23</Data>
-    # <Data Name="jobOwner">MSEDGEWIN10\IEUser</Data>
-    # <Data Name="fileCount">1</Data>
-    # <Data Name="bytesTransferred">162791</Data>
-    # <Data Name="bytesTransferredFromPeer">0</Data>
-  # </EventData>
-# </Event>
+#    <System>
+#      <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1cc15b-46c1-414e-bb95-e76b077bd51e" />
+#      <EventID>4</EventID>
+#      <Version>1</Version>
+#      <Level>4</Level>
+#      <Task>0</Task>
+#      <Opcode>0</Opcode>
+#      <Keywords>0x4000000000000000</Keywords>
+#      <TimeCreated SystemTime="2020-07-03 08:55:51.3562594" />
+#      <EventRecordID>2778</EventRecordID>
+#      <Correlation />
+#      <Execution ProcessID="1556" ThreadID="4812" />
+#      <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#      <Computer>MSEDGEWIN10</Computer>
+#      <Security UserID="S-1-5-18" />
+#    </System>
+#    <EventData>
+#      <Data Name="User">MSEDGEWIN10\IEUser</Data>
+#      <Data Name="jobTitle">Download LockScreen Image</Data>
+#      <Data Name="jobId">ff819706-9ff9-490b-ade5-b069232c5d23</Data>
+#      <Data Name="jobOwner">MSEDGEWIN10\IEUser</Data>
+#      <Data Name="fileCount">1</Data>
+#      <Data Name="bytesTransferred">162791</Data>
+#      <Data Name="bytesTransferredFromPeer">0</Data>
+#    </EventData>
+#  </Event>
 

From 0b4f5183a08ea29676b838336bc18ac6c19bdfa2 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:20:02 -0500
Subject: [PATCH 08/15] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map

---
 ...tional_Microsoft-Windows-Bits-Client_5.map | 50 +++++++++----------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
index 398661e7..8f1587f3 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
@@ -47,28 +47,28 @@ Maps:
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:
-#<Event>
-#  <System>
-#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1aa15b-46c1-414e-bb95-e76b077bd51e" />
-#    <EventID>5</EventID>
-#    <Version>0</Version>
-#    <Level>4</Level>
-#    <Task>0</Task>
-#    <Opcode>0</Opcode>
-#    <Keywords>0x4000060000000000</Keywords>
-#    <TimeCreated SystemTime="2020-09-27 13:50:51.9617212" />
-#    <EventRecordID>651942</EventRecordID>
-#    <Correlation ActivityID="41f524a4-9411-0001-322a-f5411194d601" />
-#    <Execution ProcessID="916" ThreadID="680" />
-#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
-#    <Computer>HOSTNAME.domain.com</Computer>
-#    <Security UserID="S-1-5-18" />
-#  </System>
-#  <EventData>
-#    <Data Name="User">NT AUTHORITY\SYSTEM</Data>
-#    <Data Name="jobTitle">CCM Message Upload {5F4D139A-8476-4FFB-BDCC-0A61ARDE528F}</Data>
-#    <Data Name="jobId">2679aae7-d9d0-4a03-b110-87eb72619f87</Data>
-#    <Data Name="jobOwner">NT AUTHORITY\SYSTEM</Data>
-#    <Data Name="fileCount">1</Data>
-#  </EventData>
-#</Event>
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1aa15b-46c1-414e-bb95-e76b077bd51e" />
+#     <EventID>5</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x4000060000000000</Keywords>
+#     <TimeCreated SystemTime="2020-09-27 13:50:51.9617212" />
+#     <EventRecordID>651942</EventRecordID>
+#     <Correlation ActivityID="41f524a4-9411-0001-322a-f5411194d601" />
+#     <Execution ProcessID="916" ThreadID="680" />
+#     <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="User">NT AUTHORITY\SYSTEM</Data>
+#     <Data Name="jobTitle">CCM Message Upload {5F4D139A-8476-4FFB-BDCC-0A61ARDE528F}</Data>
+#     <Data Name="jobId">2679aae7-d9d0-4a03-b110-87eb72619f87</Data>
+#     <Data Name="jobOwner">NT AUTHORITY\SYSTEM</Data>
+#     <Data Name="fileCount">1</Data>
+#   </EventData>
+# </Event>

From ba916a22cbe2b620e6e77d44975fa794cd213122 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:20:07 -0500
Subject: [PATCH 09/15] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map

---
 ...ional_Microsoft-Windows-Bits-Client_60.map | 74 +++++++++----------
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
index f2bacfa4..70bf1959 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
@@ -59,40 +59,40 @@ Maps:
 # https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
 #
 # Example Event Data:
-#<Event>
-#  <System>
-#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1ab15b-46c1-414e-bb95-e76b077bd51e" />
-#    <EventID>60</EventID>
-#    <Version>1</Version>
-#    <Level>4</Level>
-#    <Task>0</Task>
-#    <Opcode>2</Opcode>
-#    <Keywords>0x4000000800000000</Keywords>
-#    <TimeCreated SystemTime="2020-11-30 17:31:11.2022221" />
-#    <EventRecordID>1532</EventRecordID>
-#    <Correlation ActivityID="76099896-f8ef-40f3-853b-9d3725e4b2f7" />
-#    <Execution ProcessID="7788" ThreadID="16396" />
-#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
-#    <Computer>HOSTNAME</Computer>
-#    <Security UserID="S-1-5-18" />
-#  </System>
-#  <EventData>
-#    <Data Name="transferId">76052606-f8ef-40f3-853b-9d3725e4b2f7</Data>
-#    <Data Name="name">UpdateXml</Data>
-#    <Data Name="Id">f4ecc13b-4421-48a3-8766-4b987a0e5995</Data>
-#    <Data Name="url">https://g.live.com/123rewlive5skydrive/OneDriveProduction?OneDriveUpdate=f37fd774d9b58ea48d76eacfee1e</Data>
-#    <Data Name="peer"></Data>
-#    <Data Name="hr">0</Data>
-#    <Data Name="fileTime">2020-11-23 20:04:21.0000000</Data>
-#    <Data Name="fileLength">993</Data>
-#    <Data Name="bytesTotal">993</Data>
-#    <Data Name="bytesTransferred">993</Data>
-#    <Data Name="proxy"></Data>
-#    <Data Name="peerProtocolFlags">0</Data>
-#    <Data Name="bytesTransferredFromPeer">0</Data>
-#    <Data Name="AdditionalInfoHr">0</Data>
-#    <Data Name="PeerContextInfo">0</Data>
-#    <Data Name="bandwidthLimit">18446749973709551615</Data>
-#    <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
-#  </EventData>
-#</Event>
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1ab15b-46c1-414e-bb95-e76b077bd51e" />
+#     <EventID>60</EventID>
+#     <Version>1</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>2</Opcode>
+#     <Keywords>0x4000000800000000</Keywords>
+#     <TimeCreated SystemTime="2020-11-30 17:31:11.2022221" />
+#     <EventRecordID>1532</EventRecordID>
+#     <Correlation ActivityID="76099896-f8ef-40f3-853b-9d3725e4b2f7" />
+#     <Execution ProcessID="7788" ThreadID="16396" />
+#     <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#     <Computer>HOSTNAME</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="transferId">76052606-f8ef-40f3-853b-9d3725e4b2f7</Data>
+#     <Data Name="name">UpdateXml</Data>
+#     <Data Name="Id">f4ecc13b-4421-48a3-8766-4b987a0e5995</Data>
+#     <Data Name="url">https://g.live.com/123rewlive5skydrive/OneDriveProduction?OneDriveUpdate=f37fd774d9b58ea48d76eacfee1e</Data>
+#     <Data Name="peer"></Data>
+#     <Data Name="hr">0</Data>
+#     <Data Name="fileTime">2020-11-23 20:04:21.0000000</Data>
+#     <Data Name="fileLength">993</Data>
+#     <Data Name="bytesTotal">993</Data>
+#     <Data Name="bytesTransferred">993</Data>
+#     <Data Name="proxy"></Data>
+#     <Data Name="peerProtocolFlags">0</Data>
+#     <Data Name="bytesTransferredFromPeer">0</Data>
+#     <Data Name="AdditionalInfoHr">0</Data>
+#     <Data Name="PeerContextInfo">0</Data>
+#     <Data Name="bandwidthLimit">18446749973709551615</Data>
+#     <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
+#   </EventData>
+# </Event>

From 130f3c9f5cab12e3f77536088914dd244c14678b Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:20:10 -0500
Subject: [PATCH 10/15] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map

---
 ...ional_Microsoft-Windows-Bits-Client_61.map | 74 +++++++++----------
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
index 9e26ba81..a657d696 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_61.map
@@ -59,40 +59,40 @@ Maps:
 # https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
 #
 # Example Event Data:
-#<Event>
-#  <System>
-#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1dd15b-46c1-414e-bb95-e76b077bd51e" />
-#    <EventID>61</EventID>
-#    <Version>1</Version>
-#    <Level>3</Level>
-#    <Task>0</Task>
-#    <Opcode>2</Opcode>
-#    <Keywords>0x4000030000000000</Keywords>
-#    <TimeCreated SystemTime="2020-10-03 11:01:54.6903229" />
-#    <EventRecordID>667991</EventRecordID>
-#    <Correlation ActivityID="2577e913-0e06-4ef0-944f-2c9ec57ec669" />
-#    <Execution ProcessID="679" ThreadID="2648" />
-#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
-#    <Computer>HOSTNAME.domain.com</Computer>
-#    <Security UserID="S-1-5-18" />
-#  </System>
-#  <EventData>
-#    <Data Name="transferId">2567a913-0e06-4ef0-944f-2c9ec57ec669</Data>
-#    <Data Name="name">CCM Message Upload {0D7FE3C1-810E-43BF-98F3-6BFED5837B6C}</Data>
-#    <Data Name="Id">f3642209-4ea2-4ea9-b502-8320d93f45f0</Data>
-#    <Data Name="url">http://HOSTNAME.comain.com:80/CCM_Incoming/{0D7FE3C1-810E-43BF-98F3-6BFABCDEFB6C}</Data>
-#    <Data Name="peer"></Data>
-#    <Data Name="hr">246579813</Data>
-#    <Data Name="fileTime">2020-08-07 01:03:05.5210175</Data>
-#    <Data Name="fileLength">18440244073709551615</Data>
-#    <Data Name="bytesTotal">189658</Data>
-#    <Data Name="bytesTransferred">0</Data>
-#    <Data Name="proxy"></Data>
-#    <Data Name="peerProtocolFlags">0</Data>
-#    <Data Name="bytesTransferredFromPeer">0</Data>
-#    <Data Name="AdditionalInfoHr">0</Data>
-#    <Data Name="PeerContextInfo">0</Data>
-#    <Data Name="bandwidthLimit">18446744073709551615</Data>
-#    <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
-#  </EventData>
-#</Event>
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef1dd15b-46c1-414e-bb95-e76b077bd51e" />
+#     <EventID>61</EventID>
+#     <Version>1</Version>
+#     <Level>3</Level>
+#     <Task>0</Task>
+#     <Opcode>2</Opcode>
+#     <Keywords>0x4000030000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-03 11:01:54.6903229" />
+#     <EventRecordID>667991</EventRecordID>
+#     <Correlation ActivityID="2577e913-0e06-4ef0-944f-2c9ec57ec669" />
+#     <Execution ProcessID="679" ThreadID="2648" />
+#     <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="transferId">2567a913-0e06-4ef0-944f-2c9ec57ec669</Data>
+#     <Data Name="name">CCM Message Upload {0D7FE3C1-810E-43BF-98F3-6BFED5837B6C}</Data>
+#     <Data Name="Id">f3642209-4ea2-4ea9-b502-8320d93f45f0</Data>
+#     <Data Name="url">http://HOSTNAME.comain.com:80/CCM_Incoming/{0D7FE3C1-810E-43BF-98F3-6BFABCDEFB6C}</Data>
+#     <Data Name="peer"></Data>
+#     <Data Name="hr">246579813</Data>
+#     <Data Name="fileTime">2020-08-07 01:03:05.5210175</Data>
+#     <Data Name="fileLength">18440244073709551615</Data>
+#     <Data Name="bytesTotal">189658</Data>
+#     <Data Name="bytesTransferred">0</Data>
+#     <Data Name="proxy"></Data>
+#     <Data Name="peerProtocolFlags">0</Data>
+#     <Data Name="bytesTransferredFromPeer">0</Data>
+#     <Data Name="AdditionalInfoHr">0</Data>
+#     <Data Name="PeerContextInfo">0</Data>
+#     <Data Name="bandwidthLimit">18446744073709551615</Data>
+#     <Data Name="ignoreBandwidthLimitsOnLan">False</Data>
+#   </EventData>
+# </Event>

From d9eb330a9576d748937dbb2be74f6f29261b6ace Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:40:29 -0500
Subject: [PATCH 11/15] Update Documentation

---
 ...s-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map | 1 +
 ...s-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map | 1 +
 ...s-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map | 1 +
 3 files changed, 3 insertions(+)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
index 51f61641..dee17864 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
@@ -44,6 +44,7 @@ Maps:
 # https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm#SuccessCondition
 # https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
 # https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
index a67499b0..5b7ee95f 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -58,6 +58,7 @@ Maps:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
 # https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
 # https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
index 8f1587f3..007315fa 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
@@ -44,6 +44,7 @@ Maps:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_4_Microsoft-Windows-Bits-Client_64107.asp
 # https://www.adash.org/jfb/Training247/Bit_Deep_Dive_Tshoot.htm
 # https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127392
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc734695(v=ws.10)
 # https://www.sans.org/reading-room/whitepapers/forensics/bits-forensics-39195
 #
 # Example Event Data:

From 070ab574ed7b2e9f234b358970ad9e3d2a07cf8b Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 08:46:37 -0500
Subject: [PATCH 12/15] Create
 Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map

---
 ...Microsoft-Windows-Storage-ClassPnP_507.map | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 evtx/Maps/Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map

diff --git a/evtx/Maps/Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map b/evtx/Maps/Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map
new file mode 100644
index 00000000..54b8a585
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Storage-ClassPnP-Operational_Microsoft-Windows-Storage-ClassPnP_507.map
@@ -0,0 +1,83 @@
+Author: Andrew Rathbun
+Description: Completing a failed non-ReadWrite SCSI SRB request
+EventId: 507
+Channel: "Microsoft-Windows-Storage-ClassPnP/Operational"
+Provider: "Microsoft-Windows-StorDiag"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "DeviceGUID: %DeviceGUID%"
+    Values:
+      -
+        Name: DeviceGUID
+        Value: "/Event/EventData/Data[@Name=\"DeviceGUID\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Vendor: %Vendor%"
+    Values:
+      -
+        Name: Vendor
+        Value: "/Event/EventData/Data[@Name=\"Vendor\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "Model: %Model%"
+    Values:
+      -
+        Name: Model
+        Value: "/Event/EventData/Data[@Name=\"Model\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "SerialNumber: %SerialNumber%"
+    Values:
+      -
+        Name: SerialNumber
+        Value: "/Event/EventData/Data[@Name=\"SerialNumber\"]"
+  -
+    Property: PayloadData5
+    PropertyValue: "FirmwareVersion: %FirmwareVersion%"
+    Values:
+      -
+        Name: FirmwareVersion
+        Value: "/Event/EventData/Data[@Name=\"FirmwareVersion\"]"
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# https://www.mcbsys.com/blog/2016/08/stordiag-errors-after-windows-10-upgrade/
+# https://www.windowsphoneinfo.com/threads/event-507-completing-a-failed-non-readwrite-scsi-srb-request.275718/
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-StorDiag" Guid="f5d67938-80a6-4653-825d-c414e4ab3c68" />
+#     <EventID>507</EventID>
+#     <Version>1</Version>
+#     <Level>2</Level>
+#     <Task>200</Task>
+#     <Opcode>101</Opcode>
+#     <Keywords>0x800000038000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-24 15:28:17.5664229" />
+#     <EventRecordID>2</EventRecordID>
+#     <Correlation ActivityID="00000000-0000-0000-0000-000000000001" />
+#     <Execution ProcessID="4" ThreadID="520" />
+#     <Channel>Microsoft-Windows-Storage-ClassPnP/Operational</Channel>
+#     <Computer>HOSTNAME</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="DeviceGUID">3c1723fd-1386-004c-ea45-358679129f24</Data>
+#     <Data Name="DeviceNumber">3</Data>
+#     <Data Name="Vendor">Msft    </Data>
+#     <Data Name="Model">Virtual Disk    </Data>
+#     <Data Name="FirmwareVersion">1.0 </Data>
+#     <Data Name="SerialNumber">NULL</Data>
+#     <Data Name="DownLevelIrpStatus">0xC0000185</Data>
+#     <Data Name="SrbStatus">4</Data>
+#     <Data Name="ScsiStatus">2</Data>
+#     <Data Name="SenseKey">0</Data>
+#     <Data Name="AdditionalSenseCode">0</Data>
+#     <Data Name="AdditionalSenseCodeQualifier">0</Data>
+#     <Data Name="CdbByteCount">10</Data>
+#     <Data Name="CdbBytes">35-00-00-00-00-00-00-00-00-00</Data>
+#     <Data Name="NumberOfRetriesDone">5</Data>
+#   </EventData>
+# </Event>

From 7b606d0e0c97ccdf6ca473b29891a7b224e5f18e Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 09:03:35 -0500
Subject: [PATCH 13/15] Minor fixes

---
 ...Operational_Microsoft-Windows-Bits-Client_4.map | 14 +++++++-------
 ...Operational_Microsoft-Windows-Bits-Client_5.map |  8 ++++----
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
index 5b7ee95f..01b53044 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -4,49 +4,49 @@ EventId: 4
 Channel: Microsoft-Windows-Bits-Client/Operational
 Provider: Microsoft-Windows-Bits-Client
 Maps:
-   -
+  -
     Property: UserName
     PropertyValue: "%User%"
     Values: 
       - 
         Name: User
         Value: "/Event/EventData/Data[@Name=\"User\"]"
-   -
+  -
     Property: PayloadData1
     PropertyValue: "jobTitle: %jobTitle%"
     Values: 
       - 
         Name: jobTitle
         Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
-   -
+  -
     Property: PayloadData2
     PropertyValue: "jobId: %jobId%"
     Values: 
       - 
         Name: jobId
         Value: "/Event/EventData/Data[@Name=\"jobId\"]"
-   -
+  -
     Property: PayloadData3
     PropertyValue: "fileCount: %fileCount%"
     Values: 
       - 
         Name: fileCount
         Value: "/Event/EventData/Data[@Name=\"fileCount\"]" 
--
+  -
     Property: PayloadData4
     PropertyValue: "Bytes jobOwner: %jobOwner%"
     Values: 
       - 
         Name: jobOwner
         Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
-   -
+  -
     Property: PayloadData5
     PropertyValue: "Bytes Transferred: %bytesTransferred%"
     Values: 
       - 
         Name: bytesTransferred
         Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]" 
-   -
+  -
     Property: PayloadData6
     PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
     Values: 
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
index 007315fa..4b08ca97 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
@@ -4,28 +4,28 @@ EventId: 5
 Channel: Microsoft-Windows-Bits-Client/Operational
 Provider: Microsoft-Windows-Bits-Client
 Maps:
--
+  -
     Property: UserName
     PropertyValue: "%User%"
     Values: 
       - 
         Name: User
         Value: "/Event/EventData/Data[@Name=\"User\"]"
-   -
+  -
     Property: PayloadData1
     PropertyValue: "jobTitle: %jobTitle%"
     Values: 
       - 
         Name: jobTitle
         Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
-   -
+  -
     Property: PayloadData2
     PropertyValue: "jobId: %jobId%"
     Values: 
       - 
         Name: jobId
         Value: "/Event/EventData/Data[@Name=\"jobId\"]"
-   -
+  -
     Property: PayloadData3
     PropertyValue: "fileCount: %fileCount%"
     Values: 

From d12e3ff7b1e9f939c63dbbb20fcbfa3b2ab83f8a Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 09:03:37 -0500
Subject: [PATCH 14/15] Create
 Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map

---
 ...crosoft-Windows-DeviceSetupManager_101.map | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map

diff --git a/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map
new file mode 100644
index 00000000..203acb7f
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_101.map
@@ -0,0 +1,49 @@
+Author: Andrew Rathbun
+Description: Microsoft-Windows-DeviceSetupManager service shutting down
+EventId: 101
+Channel: "Microsoft-Windows-DeviceSetupManager/Admin"
+Provider: "Microsoft-Windows-DeviceSetupManager"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Prop_UpTime_Seconds: %Prop_UpTime_Seconds%"
+    Values:
+      -
+        Name: Prop_UpTime_Seconds
+        Value: "/Event/EventData/Data[@Name=\"Prop_UpTime_Seconds\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Prop_WorkTime_MilliSeconds: %Prop_WorkTime_MilliSeconds%"
+    Values:
+      -
+        Name: Prop_WorkTime_MilliSeconds
+        Value: "/Event/EventData/Data[@Name=\"Prop_WorkTime_MilliSeconds\"]"
+
+# Documentation:
+# https://cyberforensicator.com/wp-content/uploads/2017/09/USB-Storage-Device-Forensics-for-Windows-10.pdf
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# https://www.swiftforensics.com/2013/11/event-log-entries-for-devices-in.html
+# This event directly follows a 112 event.
+#
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-DeviceSetupManager" Guid="fcbb06bb-6a2a-46e3-abaa-246cb4e508b2" />
+#     <EventID>101</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x4000000000500000</Keywords>
+#     <TimeCreated SystemTime="2019-12-03 13:59:06.8134010" />
+#     <EventRecordID>1234</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="908" ThreadID="13176" />
+#     <Channel>Microsoft-Windows-DeviceSetupManager/Admin</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="Prop_UpTime_Seconds">172</Data>
+#     <Data Name="Prop_WorkTime_MilliSeconds">51849</Data>
+#   </EventData>
+# </Event>

From b81277346f090b9ae618636d08b2cd3dbc068f58 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Sun, 10 Jan 2021 09:03:42 -0500
Subject: [PATCH 15/15] Create
 Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map

---
 ...crosoft-Windows-DeviceSetupManager_100.map | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map

diff --git a/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map
new file mode 100644
index 00000000..3143767b
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map
@@ -0,0 +1,50 @@
+Author: Andrew Rathbun
+Description: Microsoft-Windows-DeviceSetupManager service starting
+EventId: 100
+Channel: "Microsoft-Windows-DeviceSetupManager/Admin"
+Provider: "Microsoft-Windows-DeviceSetupManager"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Prop_UpTime_Seconds: %Prop_UpTime_Seconds%"
+    Values:
+      -
+        Name: Prop_UpTime_Seconds
+        Value: "/Event/EventData/Data[@Name=\"Prop_UpTime_Seconds\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Prop_WorkTime_MilliSeconds: %Prop_WorkTime_MilliSeconds%"
+    Values:
+      -
+        Name: Prop_WorkTime_MilliSeconds
+        Value: "/Event/EventData/Data[@Name=\"Prop_WorkTime_MilliSeconds\"]"   
+
+# Documentation:
+# https://cyberforensicator.com/wp-content/uploads/2017/09/USB-Storage-Device-Forensics-for-Windows-10.pdf
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# https://www.swiftforensics.com/2013/11/event-log-entries-for-devices-in.html
+# This event directly precedes a 112 event.
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-DeviceSetupManager" Guid="fcfb06bb-6a2a-46e3-abaa-246cb4e508b2" />
+#     <EventID>100</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x4000000040000000</Keywords>
+#     <TimeCreated SystemTime="2019-12-04 09:51:10.8548641" />
+#     <EventRecordID>2098</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="679" ThreadID="17840" />
+#     <Channel>Microsoft-Windows-DeviceSetupManager/Admin</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="Prop_CoreServiceMode">0</Data>
+#     <Data Name="Prop_Event_Window_Seconds">71534</Data>
+#   </EventData>
+# </Event>