From 1003abcfd49e86c5dc374ab3ea9e53bd8870855b Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Wed, 27 Jul 2022 09:57:39 -0400
Subject: [PATCH] Create
 Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map

---
 ...ws-RemoteDesktopServices-RdpCoreTS_104.map | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map

diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map
new file mode 100644
index 00000000..c0613ee5
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map
@@ -0,0 +1,36 @@
+Author: Andrew Rathbun
+Description: Client timezone bias from UTC
+EventId: 104
+Channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
+Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "TimeZoneBias: %TimezoneBiasHour%"
+    Values:
+      -
+        Name: TimezoneBiasHour
+        Value: "/Event/EventData/Data[@Name=\"TimezoneBiasHour\"]"
+
+# Documentation:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" Guid="1139c61b-b549-4251-8ed3-27250a1edec8" />
+#     <EventID>104</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>4</Task>
+#     <Opcode>15</Opcode>
+#     <Keywords>0x4000000000000000</Keywords>
+#     <TimeCreated SystemTime="2022-06-19 22:13:24.3764706" />
+#     <EventRecordID>147284</EventRecordID>
+#     <Correlation ActivityID="f420b856-485f-46cb-bc3f-fc215da30000" />
+#     <Execution ProcessID="1337" ThreadID="5832" />
+#     <Channel>Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational</Channel>
+#     <Computer>HOSTNAME.domain</Computer>
+#     <Security UserID="S-1-5-20" />
+#   </System>
+#   <EventData>
+#     <Data Name="TimezoneBiasHour">[-7]</Data>
+#   </EventData>
+# </Event>