New maps

evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_72.map

@@ -0,0 +1,46 @@
+Author: Gabriele Zambelli @gazambelli
+Description: RDP Interface method called
+EventId: 72
+Channel: "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
+Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "MethodName: %MethodName%"
+    Values:
+      -
+        Name: MethodName
+        Value: "/Event/EventData/Data[@Name=\"MethodName\"]"
+  -
+    Property: PayloadData6
+    PropertyValue: "ActivityID: %ActivityID%"
+    Values:
+      -
+        Name: ActivityID
+        Value: "/Event/System/Correlation/@ActivityID"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="1139c61b-b549-4251-8ed3-27250a1edec8" />
+#     <EventID>72</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>4</Task>
+#     <Opcode>13</Opcode>
+#     <Keywords>0x4000000000000000</Keywords>
+#     <TimeCreated SystemTime="2022-04-23 11:44:37.3566971" />
+#     <EventRecordID>11409</EventRecordID>
+#     <Correlation ActivityID="f4208bf0-2762-4e4d-aaa4-c2ff68b20000" />
+#     <Execution ProcessID="64" ThreadID="1988" />
+#     <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel>
+#     <Computer>HOSTNAME</Computer>
+#     <Security UserID="S-1-5-20" />
+#   </System>
+#   <EventData>
+#     <Data Name="MethodName">OnDisconnected(server initiated)</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Microsoft-Windows-SmbClient-Connectivity_Microsoft-Windows-SMBClient_30806.map

@@ -0,0 +1,58 @@
+Author: Gabriele Zambelli @gazambelli
+Description: "SMB Client: The client re-established its session to the server"
+EventId: 30806
+Channel: "Microsoft-Windows-SmbClient/Connectivity"
+Provider: Microsoft-Windows-SMBClient
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "TargetServerAddress: %Address%"
+    Values:
+      -
+        Name: Address
+        Value: "/Event/EventData/Data[@Name=\"Address\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "TargetServerName: %ServerName%"
+    Values:
+      -
+        Name: ServerName
+        Value: "/Event/EventData/Data[@Name=\"ServerName\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "SessionId: %SessionId%"
+    Values:
+      -
+        Name: SessionId
+        Value: "/Event/EventData/Data[@Name=\"SessionId\"]"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-SMBClient" Guid="988c59c5-0a1c-45b6-a555-0c62276e327d" />
+#     <EventID>30806</EventID>
+#     <Version>2</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x400000000000040</Keywords>
+#     <TimeCreated SystemTime="2018-11-13 10:08:12.7591797" />
+#     <EventRecordID>71</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="4" ThreadID="1012" />
+#     <Channel>Microsoft-Windows-SmbClient/Connectivity</Channel>
+#     <Computer>HOSTNAME</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data Name="Status">0</Data>
+#     <Data Name="SessionId">52776558133260</Data>
+#     <Data Name="TreeId">0</Data>
+#     <Data Name="ServerNameLength">17</Data>
+#     <Data Name="ServerName">\SERVERNAME.local</Data>
+#     <Data Name="AddressLength">16</Data>
+#     <Data Name="Address">port IP address in hex</Data>
+#   </EventData>

evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31001.map

@@ -0,0 +1,106 @@
+Author: Gabriele Zambelli @gazambelli
+Description: "SMB Client: DiagReasonISC"
+EventId: 31001
+Channel: Microsoft-Windows-SmbClient/Security
+Provider: Microsoft-Windows-SMBClient
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Target: %UserName%"
+    Values:
+      -
+        Name: UserName
+        Value: "/Event/EventData/Data[@Name=\"UserName\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "TargetServerName: %ServerName%"
+    Values:
+      -
+        Name: ServerName
+        Value: "/Event/EventData/Data[@Name=\"ServerName\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "Status: %Status%"
+    Values:
+      -
+        Name: Status
+        Value: "/Event/EventData/Data[@Name=\"Status\"]"
+
+Lookups:
+  -
+    Name: Status
+    Default: Unknown code
+    Values:
+      0xC000005E: there are currently no logon servers available to service the logon request
+      3221225566: there are currently no logon servers available to service the logon request
+      0xC0000064: user name does not exist
+      3221225572: user name does not exist
+      0xC000006A: user name is correct but the password is wrong
+      3221225578: user name is correct but the password is wrong
+      0xC000006D: the cause is either a bad username or authentication information
+      3221225581: the cause is either a bad username or authentication information
+      0xC000006E: some user account restriction has prevented successful authentication
+      3221225582: some user account restriction has prevented successful authentication
+      0xC000006F: user logon outside authorized hours
+      3221225583: user logon outside authorized hours
+      0xC0000070: user logon from unauthorized workstation
+      3221225584: user logon from unauthorized workstation
+      0xC0000071: user logon with expired password
+      3221225585: user logon with expired password
+      0xC0000072: user logon to account disabled by administrator
+      3221225586: user logon to account disabled by administrator
+      0xC00000DC: indicates the Sam Server was in the wrong state to perform the desired operation
+      3221225692: indicates the Sam Server was in the wrong state to perform the desired operation
+      0xC0000133: clocks between DC and other computer too far out of sync
+      3221225779: clocks between DC and other computer too far out of sync
+      0xC000015B: the user has not been granted the requested logon type at this machine
+      3221225819: the user has not been granted the requested logon type at this machine
+      0xC000018C: the trust relationship between the primary domain and the trusted domain failed
+      3221225868: the trust relationship between the primary domain and the trusted domain failed
+      0xC0000192: an attempt was made to logon, but the Netlogon service was not started.
+      3221225874: an attempt was made to logon, but the Netlogon service was not started.
+      0xC0000193: user logon with expired account
+      3221225875: user logon with expired account
+      0xC0000224: user is required to change password at next logon
+      3221226020: user is required to change password at next logon
+      0xC0000225: evidently a bug in Windows and not a risk
+      3221226021: evidently a bug in Windows and not a risk
+      0xC0000234: user is currently locked out
+      3221226036: user is currently locked out
+      0x0: Status OK
+      0: Status OK
+
+# Documentation:
+# Failure Information: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
+#
+# Example Event Data:
+# <Event>
+# <System>
+# <Provider Name="Microsoft-Windows-SMBClient" Guid="988c59c5-0a1c-45b6-a555-0c62276e327d" />
+# <EventID>31001</EventID>
+# <Version>0</Version>
+# <Level>2</Level>
+# <Task>0</Task>
+# <Opcode>0</Opcode>
+# <Keywords>0x200000000000080</Keywords>
+# <TimeCreated SystemTime="2022-08-20 14:12:22.7316532" />
+# <EventRecordID>22</EventRecordID>
+# <Correlation />
+# <Execution ProcessID="4" ThreadID="4912" />
+# <Channel>Microsoft-Windows-SmbClient/Security</Channel>
+# <Computer>HOSTNAME</Computer>
+# <Security UserID="S-1-5-18" />
+# </System>
+# <EventData>
+#   <Data Name="Reason">10</Data>
+#   <Data Name="Status">3221225581</Data>
+#   <Data Name="SecurityStatus">3221225581</Data>
+#   <Data Name="LogonId">474190795</Data>
+#   <Data Name="ServerNameLength">17</Data>
+#   <Data Name="ServerName">\SERVERNAME.local</Data>
+#   <Data Name="PrincipalNameLength">21</Data>
+#   <Data Name="PrincipalName">cifs/SERVERNAME.local</Data>
+#   <Data Name="UserNameLength">8</Data>
+#   <Data Name="UserName">USERNAME</Data>
+# </EventData>
+# </Event>

evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_41.map

@@ -0,0 +1,56 @@
+Author: Gabriele Zambelli @gazambelli
+Description: RDP Begin session arbitration
+EventId: 41
+Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Target: %User%"
+    Values:
+      -
+        Name: User
+        Value: "/Event/UserData/EventXML/User"
+  -
+    Property: PayloadData2
+    PropertyValue: "Session ID: %SessionID%"
+    Values:
+      -
+        Name: SessionID
+        Value: "/Event/UserData/EventXML/SessionID"
+  -
+    Property: PayloadData6
+    PropertyValue: "ActivityID: %ActivityID%"
+    Values:
+      -
+        Name: ActivityID
+        Value: "/Event/System/Correlation/@ActivityID"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-TerminalServices-LocalSessionManager" Guid="5d896912-022d-40aa-a3a8-4fa5515c76d7" />
+#     <EventID>41</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x1000000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-25 18:43:45.0236615" />
+#     <EventRecordID>33</EventRecordID>
+#     <Correlation ActivityID="61a55000-55e5-1017-0000-000000000000" />
+#     <Execution ProcessID="820" ThreadID="3196" />
+#     <Channel>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</Channel>
+#     <Computer>HOSTNAME</Computer>
+#     <Security UserID="S-1-5-18" />
+#   </System>
+#   <UserData>
+#     <EventXML>
+#       <User>HOSTNAME\Administrator</User>
+#       <SessionID>1</SessionID>
+#     </EventXML>
+#   </UserData>
+# </Event>

evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1105.map

@@ -0,0 +1,37 @@
+Author: Gabriele Zambelli @gazambelli
+Description: RDP the multi-transport connection has been disconnected
+EventId: 1105
+Channel: Microsoft-Windows-TerminalServices-RDPClient/Operational
+Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
+Maps:
+  -
+    Property: PayloadData6
+    PropertyValue: "ActivityID: %ActivityID%"
+    Values:
+      -
+        Name: ActivityID
+        Value: "/Event/System/Correlation/@ActivityID"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-TerminalServices-ClientActiveXCore" Guid="28aa95bb-d444-4719-a36f-40462168127e" />
+#     <EventID>1105</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>101</Task>
+#     <Opcode>10</Opcode>
+#     <Keywords>0x4000000000000000</Keywords>
+#     <TimeCreated SystemTime="2022-02-07 20:55:05.6941087" />
+#     <EventRecordID>5</EventRecordID>
+#     <Correlation ActivityID="b2a18fda-2606-46c1-9ab8-b4c86dd20000" />
+#     <Execution ProcessID="7024" ThreadID="6964" />
+#     <Channel>Microsoft-Windows-TerminalServices-RDPClient/Operational</Channel>
+#     <Computer>HOSTNAME</Computer>
+#     <Security UserID="S-1-5-21-1018296586-1262379815-4003437281-500" />
+#   </System>
+#   <EventData></EventData>
+# </Event>

evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_50_Current.map

@@ -0,0 +1,55 @@
+Author: Gabriele Zambelli @gazambelli
+Description: Performing Create VHD
+EventId: 50
+Channel: Microsoft-Windows-VHDMP-Operational
+Provider: Microsoft-Windows-VHDMP
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "VhdMetaOps: %VhdMetaOps%"
+    Values:
+      -
+        Name: VhdMetaOps
+        Value: "/Event/EventData/Data[@Name=\"VhdMetaOps\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "VhdName: %VhdFileName%"
+    Values:
+      -
+        Name: VhdFileName
+        Value: "/Event/EventData/Data[@Name=\"VhdFileName\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "TargetVhdFileName: %TargetVhdFileName%"
+    Values:
+      -
+        Name: TargetVhdFileName
+        Value: "/Event/EventData/Data[@Name=\"TargetVhdFileName\"]"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-VHDMP" Guid="e2816346-87f4-4f85-95c3-0c79409aa89d" />
+#     <EventID>50</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x8000000000000000</Keywords>
+#     <TimeCreated SystemTime="2022-06-18 18:08:56.0108994" />
+#     <EventRecordID>1</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="4864" ThreadID="3524" />
+#     <Channel>Microsoft-Windows-VHDMP-Operational</Channel>
+#     <Computer>VM-WS2019</Computer>
+#     <Security UserID="S-1-5-21-1018296586-1262379815-4003437281-500" />
+#   </System>
+#   <EventData>
+#     <Data Name="VhdMetaOps">Create</Data>
+#     <Data Name="VhdFileName">C:\Users\Administrator\Documents\TEST.vhdx</Data>
+#     <Data Name="TargetVhdFileName"></Data>
+#   </EventData>
+# </Event>