DFIR-03: RDP Authentication Artifacts

I created a Mindmap that represents different artifacts related to RDP authentication with NLA enabled or disabled to help collect and analyze forensic artifacts during DFIR engagements

You can find the original file in this awesome project called DFIRMindMaps maintained by Andrew Rathbun. Feel free to review and contribute.
RDP_DFIR.pdf
76KB
PDF
RDP Authentication Artifacts MindMap
Successful Remote Interactive Logon
Security
EID 4624
An account was successfully logged on
Logon Types
10
Successful User Account RemoteInteractive Logon
12
Successful User Account RemoteInteractive Logon Using Cached Credentials
7
Successful User Account RemoteInteractive Logon : Workstation was Unlocked
EID 4776
The domain controller attempted to validate the credentials for an account
Error Code
0x0
Successful Logon
This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
It shows successful and unsuccessful credential validation attempts.
Logon Account : the name of the account that had its credentials validated by the Authentication Package.
Source Workstation : The name of the computer from which the logon attempt originated.
TerminalServices-RemoteConnectionManager
EID 261
Listener X received a connection
Service listening for inbound connection requests over the RDP Protocol
EID 1149
Remote Desktop Services: User authentication succeeded
An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP network connection
If you specify the RestrictedAdmin option, the username and domain will be blank.
If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.
EID 1158
Remote Desktop Services accepted a connection from IP address
This will be available in the Administrative log records
Will also display the source IP
TerminalServices-LocalSessionManager
EID 41
Begin session arbitration
Provides the session ID for potential correlations with other events
EID 42
End session arbitration
Provides the session ID for potential correlations with other events
EID 21
Remote Desktop Services: Session logon succeeded
If the source network address is not LOCAL the IP is the source of the remote authentication
Also provides the session ID
EID 22
Remote Desktop Services: Shell start notification received
If the source network address is not LOCAL the IP is the source of the Remote authentication
Also provides the session ID
EID 25
Remote Desktop Services: Session reconnection succeeded
Also provides the session ID
Also provides the source IP
EID 24
Remote Desktop Services: Session has been disconnecte
Also provides the session ID
Also provides the source IP
RemoteDesktopServices-RdpCoreTS
EID 131
The server accepted a new TCP connection from client SOURCE IP:PORT.
Unsuccessful Remote Interactive Logon
NLA Enabled
Security
NTLM
EID 4776
The domain controller attempted to validate the credentials for an account
Suspicious Error Codes
0xC0000064
User name does not exist
0xC0000070
User logon from unauthorized workstation
0xC0000072
User logon to account disabled by administrator
0xC000006F
User logon outside authorized hours
0xC0000413
Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
0xC000018C
The logon request failed because the trust relationship between the primary domain and the trusted domain failed
0xC000015B
The user has not been granted the requested logon type (aka logon right) at this machine
This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
It shows successful and unsuccessful credential validation attempts.
Logon Account : the name of the account that had its credentials validated by the Authentication Package.
Source Workstation : The name of the computer from which the logon attempt originated.
Kerberos
EID 4771
Kerberos pre-authentication failed
Account Name = Source host
Client Address = Source IP.
Common Failure Codes
0x6
Bad user name, or new computer/user account has not replicated to DC yet
0x7
New computer account has not replicated yet or computer is pre-w2k
0x9
administrator should reset the password on the account
0xC
Workstation restriction
0x12
Account disabled, expired, locked out, logon hours.
0x17
The user’s password has expired.
0x18
Usually means bad password
TerminalServices-RemoteConnectionManager
EID 1149
Remote Desktop Services: User authentication succeeded
An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP network connection
if username and domain are blank that can be due to the specification of RestrictedAdmin option
If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.
EID 261
Listener X received a connection
Service listening for inbound connection requests over the RDP Protocol
RemoteDesktopServices-RdpCoreTS
EID 140
A connection from the client computer with an IP address of SOURCE IP failed because the user name or password is not correct.
Despite the event description it will only be recorded when the user name DOES NOT EXIST
For a username that exists use a correlation between EID 4625 & EID 131
EID 131
The server accepted a new TCP connection from client SOURCE IP:PORT.
Records the source IP of every RDP authentication attempt
To be correlated with EID 4625 in order to identify the source IP (depending on the OS version)
NLA Disabled
Security
EID 4625
An account failed to log on
Logon Type = 10
Client Address = Source IP (depending on the OS version)
Account Name
RemoteDesktopServices-RdpCoreTS
EID 140
A connection from the client computer with an IP address of SOURCE IP failed because the user name or password is not correct.
Despite the event description it will only be recorded when the user name DOES NOT EXIST
For a username that exists use a correlation between EID 4625 & EID 131
EID 131
The server accepted a new TCP connection from client SOURCE IP:PORT.
Records the source IP of every RDP authentication attempt
To be correlated with EID 4625 in order to identify the source IP (depending on the OS version)
Other events
Security
EID 4778
A session was reconnected to a Window Station
Account Name
Source IP
EID 4779
A session was disconnected from a Window Station
Account Name
Source IP
EID 4688
Process Creation
rdpclip.exe
References
​https://purerds.org/remote-desktop-security/auditing-remote-desktop-services-logon-failures-1/​
​https://port139.hatenablog.com/entry/2019/03/23/091740​
​https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/​
​https://www.13cubed.com/downloads/rdp_flowchart.pdf​
​https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/​

DFIR - Previous

DFIR-02 : Journal Forensics

Next - ☢️ DEATH : Detection Engineering And Threat Hunting

TA0006 : Credential Access

Last modified 1mo ago

Copy link

Contents

Successful Remote Interactive Logon

Unsuccessful Remote Interactive Logon

Other events

References