Skip to content

Commit 326896d

Browse files
AndrewRathbunAndrewRathbun
authored
Merge pull request #59 from forensenellanebbia/master
Added LogonIDs and ActivityIDs
2 parents b85d5b8 + 769473e commit 326896d

8 files changed

+58
-2
lines changed

evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1024.map

+8-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,14 @@ Maps:
1111
-
1212
Name: DestServer
1313
Value: "/Event/EventData/Data[@Name=\"Value\"]"
14-
14+
-
15+
Property: PayloadData6
16+
PropertyValue: "ActivityID: %ActivityID%"
17+
Values:
18+
-
19+
Name: ActivityID
20+
Value: "/Event/System/Correlation/@ActivityID"
21+
1522
# Documentation:
1623
# RDP ClientActiveX is trying to connect to the server ([Destination Host Name]).
1724
# https://cyber-tls.blogspot.com/2019/08/rdp.html

evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map

+8-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,14 @@ Maps:
1111
-
1212
Name: DomainName
1313
Value: "/Event/EventData/Data[@Name=\"DomainName\"]"
14-
14+
-
15+
Property: PayloadData6
16+
PropertyValue: "ActivityID: %ActivityID%"
17+
Values:
18+
-
19+
Name: ActivityID
20+
Value: "/Event/System/Correlation/@ActivityID"
21+
1522
# Documentation:
1623
# https://cyber-tls.blogspot.com/2019/08/rdp.html
1724
# https://social.technet.microsoft.com/wiki/contents/articles/37847.rdp-direct-connection-with-nla-remote-desktop-client-event-logs.aspx

evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4624.map

+7
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,13 @@ Maps:
4141
-
4242
Name: LogonType
4343
Value: "/Event/EventData/Data[@Name=\"LogonType\"]"
44+
-
45+
Property: PayloadData3
46+
PropertyValue: "LogonId: %TargetLogonId%"
47+
Values:
48+
-
49+
Name: TargetLogonId
50+
Value: "/Event/EventData/Data[@Name=\"TargetLogonId\"]"
4451
-
4552
Property: ExecutableInfo
4653
PropertyValue: "%ProcessName%"

evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4634.map

+7
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,13 @@ Maps:
2121
-
2222
Name: LogonType
2323
Value: "/Event/EventData/Data[@Name=\"LogonType\"]"
24+
-
25+
Property: PayloadData3
26+
PropertyValue: "LogonId: %TargetLogonId%"
27+
Values:
28+
-
29+
Name: TargetLogonId
30+
Value: "/Event/EventData/Data[@Name=\"TargetLogonId\"]"
2431

2532
# Documentation:
2633
# https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/

evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4647.map

+7
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,13 @@ Maps:
1414
-
1515
Name: TargetUserName
1616
Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
17+
-
18+
Property: PayloadData3
19+
PropertyValue: "LogonId: %TargetLogonId%"
20+
Values:
21+
-
22+
Name: TargetLogonId
23+
Value: "/Event/EventData/Data[@Name=\"TargetLogonId\"]"
1724

1825
# Documentation:
1926
# https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/

evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4672.map

+7
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,13 @@ Maps:
2424
-
2525
Name: PrivilegeList
2626
Value: "/Event/EventData/Data[@Name=\"PrivilegeList\"]"
27+
-
28+
Property: PayloadData3
29+
PropertyValue: "LogonId: %SubjectLogonId%"
30+
Values:
31+
-
32+
Name: SubjectLogonId
33+
Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
2734

2835
# Documentation:
2936
# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672

evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4778.map

+7
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,13 @@ Maps:
2626
Value: "/Event/EventData/Data[@Name=\"ClientName\"]"
2727
-
2828
Property: PayloadData1
29+
PropertyValue: "%SessionName%"
30+
Values:
31+
-
32+
Name: SessionName
33+
Value: "/Event/EventData/Data[@Name=\"SessionName\"]"
34+
-
35+
Property: PayloadData3
2936
PropertyValue: "LogonId: %LogonID%"
3037
Values:
3138
-

evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4779.map

+7
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,13 @@ Maps:
2626
Value: "/Event/EventData/Data[@Name=\"ClientName\"]"
2727
-
2828
Property: PayloadData1
29+
PropertyValue: "%SessionName%"
30+
Values:
31+
-
32+
Name: SessionName
33+
Value: "/Event/EventData/Data[@Name=\"SessionName\"]"
34+
-
35+
Property: PayloadData3
2936
PropertyValue: "LogonId: %LogonID%"
3037
Values:
3138
-

0 commit comments

Comments
 (0)