Data Source: Windows Event Log CAPI2 81

Date: 2024-07-18

ID: 463ff898-8135-4c0e-811e-f8629dfc5027

Author: Patrick Bareiss, Splunk

Description

Data source object for Windows Event Log CAPI2 81

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-CAPI2/Operational`
Sourcetype	`xmlwineventlog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 8.9.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">UserData_Xml</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>81</EventID><Version>0</Version><Level>2</Level><Task>80</Task><Opcode>2</Opcode><Keywords>0x4000000000000040</Keywords><TimeCreated SystemTime='2023-10-10T21:05:45.047550700Z'/><EventRecordID>2400597</EventRecordID><Correlation/><Execution ProcessID='2424' ThreadID='2868'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>mswin-server.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><UserData><WinVerifyTrust><ActionID>{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}</ActionID><UIChoice value='2'>WTD_UI_NONE</UIChoice><RevocationCheck value='0'/><StateAction value='1'>WTD_STATEACTION_VERIFY</StateAction><Flags value='80001000' WTD_CACHE_ONLY_URL_RETRIEVAL='true' CPD_USE_NT5_CHAIN_FLAG='true'/><FileInfo filePath='C:\Users\Administrator\Downloads\metatwin-master\metatwin-master\20231010_210331\20231010_210331_signed_mimikatz.exe' hasFileHandle='true'/><DigestInfo digestAlgorithm='SHA256' digest='140E97430439F7B8E2332E928581996A701C28D3D33FBC80BCAA2F731F9FEE8D'/><RegPolicySetting value='23C00' WTPF_OFFLINEOK_IND='true' WTPF_OFFLINEOK_COM='true' WTPF_OFFLINEOKNBU_IND='true' WTPF_OFFLINEOKNBU_COM='true' WTPF_IGNOREREVOCATIONONTS='true'/><SignatureSettingsFlags value='20000000' WSS_OUT_FILE_SUPPORTS_SEAL='true'/><SignerInfo><DigestAlgorithm oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/></SignerInfo><CertificateChain chainRef='{D7D21F37-6E0D-440C-9DF2-E73BC40CD4BF}'/><TimestampInfo format='RFC 3161'><DigestAlgorithm oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/><SignTime>2021-01-07T23:21:42.655Z</SignTime></TimestampInfo><TimestampChain chainRef='{2BDF7F75-D825-45BA-BC57-1F5E52274842}'/><StepError stepID='32' stepName='TRUSTERROR_STEP_FINAL_OBJPROV'><Result value='80096010'>The digital signature of the object did not verify.</Result></StepError><EventAuxInfo ProcessName='sysmon64.exe'/><CorrelationAuxInfo TaskId='{44B713F2-FA74-49B2-B3C1-99E5FD2F1667}' SeqNumber='9'/><Result value='80096010'>The digital signature of the object did not verify.</Result></WinVerifyTrust></UserData></Event>

Source: GitHub | Version: 1