Automate new mappings file

[tomnewman86]

Currently working on a cool little script to help people who are new to the mappings file (as with most of these things, an idea that started to help me) and wanted to see if it generates any interest in discussions/ideas.

So the script is written in python and will basically allow the user to run a command such as:
python create_new_map.py --module "Security" --file Security.evtx --event-id "4634" --fields "TargetUserName, TargetDomainName, LogonType" --title "Test Title"

The script will then scan the inputted Security.evtx file to ensure the id/fields exist, export them as YAML and map them to a template mappings.yml file.

You would be able to chain together innumerable EventID's from the same evtx file i.e.
--event-id 4634, 4672, 4624 --fields "TargetUserName,TargetDomainName,LogonType:"SubjectUserName,"SubjectDomainName":"WorkstationName,ProcessName"

although I realise this could be quite cumbersome! It would create a file like (it would also include the template header keys i.e. kind & exclusions):

mappings:
  4634:
    provider: Microsoft-Windows-Security-Auditing
    search_fields:
      LogonType: Event.EventData.LogonType
      TargetDomainName: Event.EventData.TargetDomainName
      TargetUserName: Event.EventData.TargetUserName
    table_header:
      LogonType: Event.EventData.LogonType
      TargetDomainName: Event.EventData.TargetDomainName
      context_field: Event.EventData.TargetUserName
    title: Test Title
  4672:
    provider: Microsoft-Windows-Security-Auditing
    search_fields:
      SubjectDomainName: Event.EventData.SubjectDomainName
      SubjectUserName: Event.EventData.SubjectUserName
    table_header:
      SubjectDomainName: Event.EventData.SubjectDomainName
      context_field: Event.EventData.SubjectUserName
    title: Test Title
  4624:
    provider: Microsoft-Windows-Security-Auditing
    search_fields:
      ProcessName: Event.EventData.ProcessName
      WorkstationName: Event.EventData.WorkstationName
    table_header:
      ProcessName: Event.EventData.ProcessName
      context_field: Event.EventData.WorkstationName
    title: Test Title

I've got a PoC script put together and have it working with Security.evtx mappings only with hard coded input values at the minute. It's been a bit of a challenge but a lot of fun.

[alexkornitzer]

Yep this is a good idea, it would need to be ported to rust so that it can be run through the chainsaw binary.

I am finally working on cleaning the codebase today (Chainsaw 2.0), so that we can extend it more easily. This would be a good edition I think.