From 73a00071f6aa075dd7b2a1e948b6949deaff393b Mon Sep 17 00:00:00 2001
From: reece394 <31659691+reece394@users.noreply.github.com>
Date: Sat, 1 Jun 2024 17:19:48 +0100
Subject: [PATCH 1/5] Antivirus Maps

---
 ...re-Application-F-Secure-Anti-Virus_103.map | 56 +++++++++++++++++++
 ...re-Application-F-Secure-Anti-Virus_207.map | 56 +++++++++++++++++++
 ...re-Application-F-Secure-Anti-Virus_296.map | 56 +++++++++++++++++++
 ...re-Application-F-Secure-Anti-Virus_722.map | 56 +++++++++++++++++++
 ...pplication_Trellix-Endpoint-Security_3.map | 51 +++++++++++++++++
 5 files changed, 275 insertions(+)
 create mode 100644 evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_103.map
 create mode 100644 evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_207.map
 create mode 100644 evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_296.map
 create mode 100644 evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_722.map
 create mode 100644 evtx/Maps/Application_Trellix-Endpoint-Security_3.map

diff --git a/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_103.map b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_103.map
new file mode 100644
index 0000000..4364730
--- /dev/null
+++ b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_103.map
@@ -0,0 +1,56 @@
+Author: Reece394
+Description: F-Secure Anti-Virus - Manual scanning was finished - workstation was found infected
+EventId: 103
+Channel: "Application"
+Provider: "FSecure-FSecure Application-F-Secure Anti-Virus"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data[@Name=\"MessageText\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "%PayloadData2%"
+    Values:
+      -
+        Name: PayloadData2
+        Value: "/Event/EventData/Data[@Name=\"UserName\"]"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="FSecure-FSecure Application-F-Secure Anti-Virus" Guid="14226663-5b17-4fcc-b09b-4d2644e4a1e7" />
+#     <EventID>103</EventID>
+#     <Version>0</Version>
+#     <Level>1</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x8000000000000000</Keywords>
+#     <TimeCreated SystemTime="2024-01-06 20:50:27.6710933" />
+#     <EventRecordID>706</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="3096" ThreadID="2272" />
+#     <Channel>Application</Channel>
+#     <Computer>User-PC</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="MessageText">Manual scanning was finished - workstation was found infected!</Data>
+#     <Data Name="TrapTimestamp">1704574227</Data>
+#     <Data Name="TrapId">103</Data>
+#     <Data Name="TrapNumber">9</Data>
+#     <Data Name="Severity">5</Data>
+#     <Data Name="HostName">user-pc</Data>
+#     <Data Name="UserName">User-PC\User</Data>
+#     <Data Name="ProductOID">1.3.6.1.4.1.2213.12</Data>
+#     <Data Name="ProductName">F-Secure Anti-Virus</Data>
+#     <Data Name="ParamCount">0</Data>
+#     <Data Name="Param"></Data>
+#   </EventData>
+# </Event>
diff --git a/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_207.map b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_207.map
new file mode 100644
index 0000000..aebaaf5
--- /dev/null
+++ b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_207.map
@@ -0,0 +1,56 @@
+Author: Reece394
+Description: F-Secure Anti-Virus - Malicious code found in file
+EventId: 207
+Channel: "Application"
+Provider: "FSecure-FSecure Application-F-Secure Anti-Virus"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data[@Name=\"MessageText\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "%PayloadData2%"
+    Values:
+      -
+        Name: PayloadData2
+        Value: "/Event/EventData/Data[@Name=\"UserName\"]"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="FSecure-FSecure Application-F-Secure Anti-Virus" Guid="14226663-5b17-4fcc-b09b-4d2644e4a1e7" />
+#     <EventID>207</EventID>
+#     <Version>0</Version>
+#     <Level>1</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x8000000000000000</Keywords>
+#     <TimeCreated SystemTime="2024-01-06 20:23:11.2496022" />
+#     <EventRecordID>703</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="3096" ThreadID="2272" />
+#     <Channel>Application</Channel>
+#     <Computer>User-PC</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="MessageText">Malicious code found in file C:\Users\User\Downloads\mimikatz_trunk\x64\mimispool.dll. , Infection: Heuristic.HEUR/AGEN.1240390 , Action: The file was quarantined. , </Data>
+#     <Data Name="TrapTimestamp">1704572591</Data>
+#     <Data Name="TrapId">207</Data>
+#     <Data Name="TrapNumber">8</Data>
+#     <Data Name="Severity">5</Data>
+#     <Data Name="HostName">user-pc</Data>
+#     <Data Name="UserName">User-PC\User</Data>
+#     <Data Name="ProductOID">1.3.6.1.4.1.2213.12</Data>
+#     <Data Name="ProductName">F-Secure Anti-Virus</Data>
+#     <Data Name="ParamCount">3</Data>
+#     <Data Name="Param">C:\Users\User\Downloads\mimikatz_trunk\x64\mimispool.dll, Heuristic.HEUR/AGEN.1240390</Data>
+#   </EventData>
+# </Event>
diff --git a/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_296.map b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_296.map
new file mode 100644
index 0000000..d9b92d6
--- /dev/null
+++ b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_296.map
@@ -0,0 +1,56 @@
+Author: Reece394
+Description: F-Secure Anti-Virus - Spyware detected
+EventId: 296
+Channel: "Application"
+Provider: "FSecure-FSecure Application-F-Secure Anti-Virus"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data[@Name=\"MessageText\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "%PayloadData2%"
+    Values:
+      -
+        Name: PayloadData2
+        Value: "/Event/EventData/Data[@Name=\"UserName\"]"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="FSecure-FSecure Application-F-Secure Anti-Virus" Guid="14226663-5b17-4fcc-b09b-4d2644e4a1e7" />
+#     <EventID>296</EventID>
+#     <Version>0</Version>
+#     <Level>1</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x8000000000000000</Keywords>
+#     <TimeCreated SystemTime="2024-01-06 20:23:11.0000017" />
+#     <EventRecordID>698</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="3096" ThreadID="2272" />
+#     <Channel>Application</Channel>
+#     <Computer>User-PC</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="MessageText">Spyware detected: , Type: riskware , Family:  , Name: Hack-Tool:W32/Mimikatz.G , Object: C:\Users\User\Downloads\mimikatz_trunk\Win32\mimidrv.sys , </Data>
+#     <Data Name="TrapTimestamp">1704572591</Data>
+#     <Data Name="TrapId">296</Data>
+#     <Data Name="TrapNumber">3</Data>
+#     <Data Name="Severity">5</Data>
+#     <Data Name="HostName">user-pc</Data>
+#     <Data Name="UserName">User-PC\User</Data>
+#     <Data Name="ProductOID">1.3.6.1.4.1.2213.12</Data>
+#     <Data Name="ProductName">F-Secure Anti-Virus</Data>
+#     <Data Name="ParamCount">4</Data>
+#     <Data Name="Param">riskware, Hack-Tool:W32/Mimikatz.G, C:\Users\User\Downloads\mimikatz_trunk\Win32\mimidrv.sys</Data>
+#   </EventData>
+# </Event>
diff --git a/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_722.map b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_722.map
new file mode 100644
index 0000000..cba0559
--- /dev/null
+++ b/evtx/Maps/Application_FSecure-FSecure-Application-F-Secure-Anti-Virus_722.map
@@ -0,0 +1,56 @@
+Author: Reece394
+Description: F-Secure Anti-Virus - Web Traffic Scanning Alert
+EventId: 722
+Channel: "Application"
+Provider: "FSecure-FSecure Application-F-Secure Anti-Virus"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data[@Name=\"MessageText\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "%PayloadData2%"
+    Values:
+      -
+        Name: PayloadData2
+        Value: "/Event/EventData/Data[@Name=\"UserName\"]"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="FSecure-FSecure Application-F-Secure Anti-Virus" Guid="14226663-5b17-4fcc-b09b-4d2644e4a1e7" />
+#     <EventID>722</EventID>
+#     <Version>0</Version>
+#     <Level>1</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x8000000000000000</Keywords>
+#     <TimeCreated SystemTime="2024-01-06 20:18:01.2138813" />
+#     <EventRecordID>696</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="3096" ThreadID="2272" />
+#     <Channel>Application</Channel>
+#     <Computer>User-PC</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data Name="MessageText">Web Traffic Scanning Alert , Infection: http://malware.wicar.org/data/eicar.com , Object name: EICAR_Test_File , Action: Malicious content was blocked.</Data>
+#     <Data Name="TrapTimestamp">1704572281</Data>
+#     <Data Name="TrapId">722</Data>
+#     <Data Name="TrapNumber">1</Data>
+#     <Data Name="Severity">5</Data>
+#     <Data Name="HostName">user-pc</Data>
+#     <Data Name="UserName">User-PC\User</Data>
+#     <Data Name="ProductOID">1.3.6.1.4.1.2213.12</Data>
+#     <Data Name="ProductName">F-Secure Anti-Virus</Data>
+#     <Data Name="ParamCount">3</Data>
+#     <Data Name="Param">http://malware.wicar.org/data/eicar.com, EICAR_Test_File</Data>
+#   </EventData>
+# </Event>
diff --git a/evtx/Maps/Application_Trellix-Endpoint-Security_3.map b/evtx/Maps/Application_Trellix-Endpoint-Security_3.map
new file mode 100644
index 0000000..9e8f2b5
--- /dev/null
+++ b/evtx/Maps/Application_Trellix-Endpoint-Security_3.map
@@ -0,0 +1,51 @@
+Author: Peter Snyder, Reece394
+Description: Trellix Endpoint Detection
+EventId: 3
+Channel: "Application"
+Provider: "Trellix Endpoint Security"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: EventID=(\d{1,4})\b
+  -
+    Property: PayloadData2
+    PropertyValue: "%PayloadData2%"
+    Values:
+      -
+        Name: PayloadData2
+        Value: "/Event/EventData/Data"
+        Refine: (\S+ (ran|file).*(Trojan|detected|blocked|executed).*.)
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Trellix Endpoint Security" />
+#     <EventID Qualifiers="8192">3</EventID>
+#     <Version>0</Version>
+#     <Level>2</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2024-01-03 23:29:00.6240345" />
+#     <EventRecordID>811</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="3584" ThreadID="0" />
+#     <Channel>Application</Channel>
+#     <Computer>DESKTOP-8EB4LCL</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <EventData>
+#     <Data>EventID=1027
+# 
+# DESKTOP-8EB4LCL\User ran C:\Program Files\7-Zip\7zG.exe, which attempted to access C:\Users\User\Downloads\1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b\1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b.exe. The Trojan named Artemis!5FE4EA367CEE was detected and deleted.</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>

From f0abe0f7851a5669da0f83ea02dd23498dd29659 Mon Sep 17 00:00:00 2001
From: reece394 <31659691+reece394@users.noreply.github.com>
Date: Sat, 1 Jun 2024 23:48:18 +0100
Subject: [PATCH 2/5] F-Secure 11 Map

---
 ...Secure-FSecure-F-Secure-Anti-Virus_103.map | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map

diff --git a/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map b/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
new file mode 100644
index 0000000..5e6278f
--- /dev/null
+++ b/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
@@ -0,0 +1,50 @@
+Author: Reece394
+Description: F-Secure Anti-Virus Detection
+EventId: 103
+Channel: "Application"
+Provider: "FSecure-FSecure-F-Secure Anti-Virus"
+Maps:
+  -
+    Property: UserName
+    PropertyValue: "%UserName%"
+    Values:
+      -
+        Name: UserName
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=^([^  ]*  ){4})[^  ]+"
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=\n )(.*)"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="FSecure-FSecure-F-Secure Anti-Virus" />
+#     <EventID Qualifiers="49152">103</EventID>
+#     <Level>2</Level>
+#     <Task>0</Task>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2024-01-06 18:57:22.0000000" />
+#     <EventRecordID>732</EventRecordID>
+#     <Channel>Application</Channel>
+#     <Computer>User-PC</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>2  2024-01-06  18:57:21+00:00  user-pc  User-PC\User  F-Secure Anti-Virus
+#  Malicious code found in file C:\Users\User\Downloads\mimikatz_trunk\Win32\mimilove.exe. 
+#  Infection: Heuristic.HEUR/AGEN.1221331 
+#  Action: The file was deleted. 
+# 
+# </Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>

From 3d9d07208e8835c04e882854d0e83075943d24f8 Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Sat, 1 Jun 2024 19:34:24 -0400
Subject: [PATCH 3/5] Update
 Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map

remove trailing space
---
 .../Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map b/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
index 5e6278f..fc71704 100644
--- a/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
+++ b/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
@@ -43,7 +43,7 @@ Maps:
 #  Malicious code found in file C:\Users\User\Downloads\mimikatz_trunk\Win32\mimilove.exe. 
 #  Infection: Heuristic.HEUR/AGEN.1221331 
 #  Action: The file was deleted. 
-# 
+#
 # </Data>
 #     <Binary></Binary>
 #   </EventData>

From f6587f3c214300d7aee6040cd9cb36f72b96879b Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Sat, 1 Jun 2024 19:35:14 -0400
Subject: [PATCH 4/5] Update
 Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map

remove 3 more trailing spaces
---
 .../Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map b/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
index fc71704..6e7c41a 100644
--- a/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
+++ b/evtx/Maps/Application_FSecure-FSecure-F-Secure-Anti-Virus_103.map
@@ -40,9 +40,9 @@ Maps:
 #   </System>
 #   <EventData>
 #     <Data>2  2024-01-06  18:57:21+00:00  user-pc  User-PC\User  F-Secure Anti-Virus
-#  Malicious code found in file C:\Users\User\Downloads\mimikatz_trunk\Win32\mimilove.exe. 
-#  Infection: Heuristic.HEUR/AGEN.1221331 
-#  Action: The file was deleted. 
+#  Malicious code found in file C:\Users\User\Downloads\mimikatz_trunk\Win32\mimilove.exe.
+#  Infection: Heuristic.HEUR/AGEN.1221331
+#  Action: The file was deleted.
 #
 # </Data>
 #     <Binary></Binary>

From 4427e2849de5a64c8c0641fbbe5d83587f2701e2 Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Sat, 1 Jun 2024 19:37:35 -0400
Subject: [PATCH 5/5] Update Application_Trellix-Endpoint-Security_3.map

remove one more trailing space
---
 evtx/Maps/Application_Trellix-Endpoint-Security_3.map | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evtx/Maps/Application_Trellix-Endpoint-Security_3.map b/evtx/Maps/Application_Trellix-Endpoint-Security_3.map
index 9e8f2b5..47bc3ff 100644
--- a/evtx/Maps/Application_Trellix-Endpoint-Security_3.map
+++ b/evtx/Maps/Application_Trellix-Endpoint-Security_3.map
@@ -44,7 +44,7 @@ Maps:
 #   </System>
 #   <EventData>
 #     <Data>EventID=1027
-# 
+#
 # DESKTOP-8EB4LCL\User ran C:\Program Files\7-Zip\7zG.exe, which attempted to access C:\Users\User\Downloads\1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b\1a69f2fcfe5b35bf44ea42a1efe89f18f6b0d522cbbea5c51bae93aff7d3188b.exe. The Trojan named Artemis!5FE4EA367CEE was detected and deleted.</Data>
 #     <Binary></Binary>
 #   </EventData>