Create TerminalServices-Gateway Maps

evtx/Maps/Microsoft-Windows-TerminalServices-Gateway-Operational_Microsoft-Windows-TerminalServices-Gateway_300.map

@@ -0,0 +1,90 @@
+Author: Andrew Rathbun and Matt Arbaugh
+Description: "Remote Desktop Services: User meets resource authorization policy requirements needed to connect to resource"
+EventId: 300
+Channel: Microsoft-Windows-TerminalServices-Gateway/Operational
+Provider: Microsoft-Windows-TerminalServices-Gateway
+Maps:
+  -
+    Property: UserName
+    PropertyValue: "%Username%"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+  -
+    Property: RemoteHost
+    PropertyValue: "%Address%"
+    Values:
+      -
+        Name: Address
+        Value: "/Event/UserData/EventXML/Address"
+  -
+    Property: PayloadData1
+    PropertyValue: "%Username% on client computer %IpAddress% met resource authorization policy requirements and was therefore authorized to connect to %Resource%"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+      -
+        Name: IpAddress
+        Value: "/Event/UserData/EventInfo/IpAddress"
+      -
+        Name: Resource
+        Value: "/Event/UserData/EventInfo/Resource"
+  -
+    Property: PayloadData4
+    PropertyValue: "ErrorCode: %ErrorCode%"
+    Values:
+      -
+        Name: ErrorCode
+        Value: "/Event/UserData/EventInfo/ErrorCode"
+  -
+    Property: PayloadData5
+    PropertyValue: "ConnectionProtocol: %ConnectionProtocol%"
+    Values:
+      -
+        Name: ConnectionProtocol
+        Value: "/Event/UserData/EventInfo/ConnectionProtocol"
+  -
+    Property: PayloadData6
+    PropertyValue: "AuthType: %AuthType%"
+    Values:
+      -
+        Name: AuthType
+        Value: "/Event/UserData/EventInfo/AuthType"
+
+# Documentation:
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775364(v=ws.10)?redirectedfrom=MSDN
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_300_Microsoft-Windows-TerminalServices-Gateway_67336.asp
+# https://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Egy%C3%A9b%20biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/TS%20Gateway%20Step-By-Step%20Guide.pdf
+# https://system32.eventsentry.com/codes/field/Windows
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="4d5ae6a1-c7c8-4e6d-b840-4d8080b42e1b" />
+#     <EventID>300</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>5</Task>
+#     <Opcode>30</Opcode>
+#     <Keywords>0x4020000001000000</Keywords>
+#     <TimeCreated SystemTime="2021-05-16 20:13:17.4272057" />
+#     <EventRecordID>1251305</EventRecordID>
+#     <Correlation ActivityID="3fb80caa-2356-43c8-9991-b852526f2500" />
+#     <Execution ProcessID="2040" ThreadID="1888" />
+#     <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-20" />
+#   </System>
+#   <UserData>
+#     <EventInfo>
+#       <Username>DOMAIN\username</Username>
+#       <IpAddress>172.16.2.13</IpAddress>
+#       <AuthType></AuthType>
+#       <Resource>HOSTNAME.domain.com</Resource>
+#       <ConnectionProtocol></ConnectionProtocol>
+#       <ErrorCode>0</ErrorCode>
+#     </EventInfo>
+#   </UserData>
+# </Event>

evtx/Maps/Microsoft-Windows-TerminalServices-Gateway-Operational_Microsoft-Windows-TerminalServices-Gateway_302.map

@@ -0,0 +1,90 @@
+Author: Andrew Rathbun and Matt Arbaugh
+Description: "Remote Desktop Services: User connected to resource"
+EventId: 302
+Channel: Microsoft-Windows-TerminalServices-Gateway/Operational
+Provider: Microsoft-Windows-TerminalServices-Gateway
+Maps:
+  -
+    Property: UserName
+    PropertyValue: "%Username%"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+  -
+    Property: RemoteHost
+    PropertyValue: "%Address%"
+    Values:
+      -
+        Name: Address
+        Value: "/Event/UserData/EventXML/Address"
+  -
+    Property: PayloadData1
+    PropertyValue: "%Username% on client computer %IpAddress% connected to %Resource%"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+      -
+        Name: IpAddress
+        Value: "/Event/UserData/EventInfo/IpAddress"
+      -
+        Name: Resource
+        Value: "/Event/UserData/EventInfo/Resource"
+  -
+    Property: PayloadData4
+    PropertyValue: "ErrorCode: %ErrorCode%"
+    Values:
+      -
+        Name: ErrorCode
+        Value: "/Event/UserData/EventInfo/ErrorCode"
+  -
+    Property: PayloadData5
+    PropertyValue: "ConnectionProtocol: %ConnectionProtocol%"
+    Values:
+      -
+        Name: ConnectionProtocol
+        Value: "/Event/UserData/EventInfo/ConnectionProtocol"
+  -
+    Property: PayloadData6
+    PropertyValue: "AuthType: %AuthType%"
+    Values:
+      -
+        Name: AuthType
+        Value: "/Event/UserData/EventInfo/AuthType"
+
+# Documentation:
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775263(v=ws.10)?redirectedfrom=MSDN
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_302_Microsoft-Windows-TerminalServices-Gateway_67351.asp
+# https://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Egy%C3%A9b%20biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/TS%20Gateway%20Step-By-Step%20Guide.pdf
+# https://system32.eventsentry.com/codes/field/Windows
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="4d5ae6a1-c7c8-4e6d-b840-4d8080b42e1b" />
+#     <EventID>302</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>5</Task>
+#     <Opcode>30</Opcode>
+#     <Keywords>0x4020000001000000</Keywords>
+#     <TimeCreated SystemTime="2021-05-16 20:13:17.4272057" />
+#     <EventRecordID>1251305</EventRecordID>
+#     <Correlation ActivityID="3fb80caa-2356-43c8-9991-b852526f2500" />
+#     <Execution ProcessID="2040" ThreadID="1888" />
+#     <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-20" />
+#   </System>
+#   <UserData>
+#     <EventInfo>
+#       <Username>DOMAIN\username</Username>
+#       <IpAddress>172.16.2.13</IpAddress>
+#       <AuthType></AuthType>
+#       <Resource>HOSTNAME.domain.com</Resource>
+#       <ConnectionProtocol>UDP</ConnectionProtocol>
+#       <ErrorCode>0</ErrorCode>
+#     </EventInfo>
+#   </UserData>
+# </Event>

evtx/Maps/Microsoft-Windows-TerminalServices-Gateway-Operational_Microsoft-Windows-TerminalServices-Gateway_303.map

@@ -0,0 +1,113 @@
+Author: Andrew Rathbun and Matt Arbaugh
+Description: "Remote Desktop Services: User disconnected from resource"
+EventId: 303
+Channel: Microsoft-Windows-TerminalServices-Gateway/Operational
+Provider: Microsoft-Windows-TerminalServices-Gateway
+Maps:
+  -
+    Property: UserName
+    PropertyValue: "%Username%"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+  -
+    Property: RemoteHost
+    PropertyValue: "%Address%"
+    Values:
+      -
+        Name: Address
+        Value: "/Event/UserData/EventXML/Address"
+  -
+    Property: PayloadData1
+    PropertyValue: "%Username% on client computer %IpAddress% disconnected from %Resource%"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+      -
+        Name: IpAddress
+        Value: "/Event/UserData/EventInfo/IpAddress"
+      -
+        Name: Resource
+        Value: "/Event/UserData/EventInfo/Resource"
+  -
+    Property: PayloadData2
+    PropertyValue: "Before %Username% disconnected, the client transferred %BytesTransfered% bytes and received %BytesReceived% bytes"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+      -
+        Name: BytesTransfered
+        Value: "/Event/UserData/EventInfo/BytesTransfered"
+      -
+        Name: BytesReceived
+        Value: "/Event/UserData/EventInfo/BytesReceived"
+  -
+    Property: PayloadData3
+    PropertyValue: "The client session duration was %SessionDuration% seconds"
+    Values:
+      -
+        Name: SessionDuration
+        Value: "/Event/UserData/EventInfo/SessionDuration"
+  -
+    Property: PayloadData4
+    PropertyValue: "ErrorCode: %ErrorCode%"
+    Values:
+      -
+        Name: ErrorCode
+        Value: "/Event/UserData/EventInfo/ErrorCode"
+  -
+    Property: PayloadData5
+    PropertyValue: "ConnectionProtocol: %ConnectionProtocol%"
+    Values:
+      -
+        Name: ConnectionProtocol
+        Value: "/Event/UserData/EventInfo/ConnectionProtocol"
+  -
+    Property: PayloadData6
+    PropertyValue: "AuthType: %AuthType%"
+    Values:
+      -
+        Name: AuthType
+        Value: "/Event/UserData/EventInfo/AuthType"
+
+# Documentation:
+# https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775326(v=ws.10)?redirectedfrom=MSDN
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_303_Microsoft-Windows-TerminalServices-Gateway_67337.asp
+# https://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Egy%C3%A9b%20biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/TS%20Gateway%20Step-By-Step%20Guide.pdf
+# https://system32.eventsentry.com/codes/field/Windows
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="4d5ae6a1-c7c8-4e6d-b840-4d8080b42e1b" />
+#     <EventID>303</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>5</Task>
+#     <Opcode>30</Opcode>
+#     <Keywords>0x4020000001000000</Keywords>
+#     <TimeCreated SystemTime="2021-05-16 20:13:17.4272057" />
+#     <EventRecordID>1251305</EventRecordID>
+#     <Correlation ActivityID="3fb80caa-2356-43c8-9991-b852526f2500" />
+#     <Execution ProcessID="2040" ThreadID="1888" />
+#     <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-20" />
+#   </System>
+#   <UserData>
+#     <EventInfo>
+#       <Username>DOMAIN\username</Username>
+#       <IpAddress>172.16.2.13</IpAddress>
+#       <AuthType></AuthType>
+#       <Resource>HOSTNAME.domain.com</Resource>
+#       <BytesReceived>4900</BytesReceived>
+#       <BytesTransfered>2102</BytesTransfered>
+#       <SessionDuration>168</SessionDuration>
+#       <ConnectionProtocol>UDP</ConnectionProtocol>
+#       <ErrorCode>1226</ErrorCode>
+#     </EventInfo>
+#   </UserData>
+# </Event>

evtx/Maps/Microsoft-Windows-TerminalServices-Gateway-Operational_Microsoft-Windows-TerminalServices-Gateway_312.map

@@ -0,0 +1,60 @@
+Author: Andrew Rathbun and Matt Arbaugh
+Description: "Remote Desktop Services: User has initiated an outbound connection"
+EventId: 312
+Channel: Microsoft-Windows-TerminalServices-Gateway/Operational
+Provider: Microsoft-Windows-TerminalServices-Gateway
+Maps:
+  -
+    Property: UserName
+    PropertyValue: "%Username%"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+  -
+    Property: RemoteHost
+    PropertyValue: "%Address%"
+    Values:
+      -
+        Name: Address
+        Value: "/Event/UserData/EventXML/Address"
+  -
+    Property: PayloadData1
+    PropertyValue: "%Username% on client computer %IpAddress% has initiated an outbound connection that has yet to be authenticated"
+    Values:
+      -
+        Name: Username
+        Value: "/Event/UserData/EventInfo/Username"
+      -
+        Name: IpAddress
+        Value: "/Event/UserData/EventInfo/IpAddress"
+
+# Documentation:
+# http://c-nergy.be/blog/?p=8187
+# https://social.technet.microsoft.com/Forums/en-US/33d980c9-5c3a-43d7-a6e9-72bed9cbf165/rds-2016-gateway-error-event-id-312-quotthe-user-quotabcxyzcomquot-on-client-computer?forum=winserverTS
+#
+# Example Event Data:
+# <Event>
+#   <System>
+#     <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="4d5ae6a1-c7c8-4e6d-b840-4d8080b42e1b" />
+#     <EventID>312</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>5</Task>
+#     <Opcode>30</Opcode>
+#     <Keywords>0x4020000001000000</Keywords>
+#     <TimeCreated SystemTime="2021-05-16 20:13:17.4272057" />
+#     <EventRecordID>1251305</EventRecordID>
+#     <Correlation ActivityID="3fb80caa-2356-43c8-9991-b852526f2500" />
+#     <Execution ProcessID="2040" ThreadID="1888" />
+#     <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
+#     <Computer>HOSTNAME.domain.com</Computer>
+#     <Security UserID="S-1-5-20" />
+#   </System>
+#   <UserData>
+#     <EventInfo>
+#       <Username>username@DOMAIN</Username>
+#       <IpAddress>172.16.2.13</IpAddress>
+#     </EventInfo>
+#   </UserData>
+# </Event>