# DFIR-03: RDP Authentication Artifacts You can find the original file in this awesome project called [**DFIRMindMaps** ](https://github.com/rathbuna/DFIRMindMaps/tree/main/OSArtifacts/Windows/RDP_Authentication_Artifacts)maintained by [**Andrew Rathbun**](https://twitter.com/bunsofwrath12). Feel free to review and contribute. {% file src="" %} ![RDP Authentication Artifacts MindMap](https://1286158324-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO79pt4NiZPFhlGCglR%2F-MjE1H5Ix_jKQCb5B10O%2F-MjE1gN6rD5p8VQu_v5d%2FRDP_DFIR.png?alt=media\&token=a777c846-36e0-4cf8-8499-e2c6f1ab4202) ### **Successful Remote Interactive Logon** #### **Security** * **EID 4624** * An account was successfully logged on * Logon Types * 10 * Successful User Account RemoteInteractive Logon * 12 * Successful User Account RemoteInteractive Logon Using Cached Credentials * 7 * Successful User Account RemoteInteractive Logon : Workstation was Unlocked * **EID 4776** * The domain controller attempted to validate the credentials for an account * Error Code * *0x0* * Successful Logon * This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. * It shows successful and unsuccessful credential validation attempts. * Logon Account : the name of the account that had its credentials validated by the Authentication Package. * Source Workstation : The name of the computer from which the logon attempt originated. #### **TerminalServices-RemoteConnectionManager** * **EID 261** * Listener X received a connection * Service listening for inbound connection requests over the RDP Protocol * **EID 1149** * Remote Desktop Services: User authentication succeeded * An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP network connection * If you specify the RestrictedAdmin option, the username and domain will be blank. * If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded. * **EID 1158** * Remote Desktop Services accepted a connection from IP address * This will be available in the Administrative log records * Will also display the source IP #### **TerminalServices-LocalSessionManager** * **EID 41** * Begin session arbitration * Provides the session ID for potential correlations with other events * **EID 42** * End session arbitration * Provides the session ID for potential correlations with other events * **EID 21** * Remote Desktop Services: Session logon succeeded * If the source network address is not LOCAL the IP is the source of the remote authentication * Also provides the session ID * **EID 22** * Remote Desktop Services: Shell start notification received * If the source network address is not LOCAL the IP is the source of the Remote authentication * Also provides the session ID * **EID 25** * Remote Desktop Services: Session reconnection succeeded * Also provides the session ID * Also provides the source IP * **EID 24** * Remote Desktop Services: Session has been disconnecte * Also provides the session ID * Also provides the source IP #### **RemoteDesktopServices-RdpCoreTS** * **EID 131** * The server accepted a new TCP connection from client SOURCE IP:PORT. ### **Unsuccessful Remote Interactive Logon** #### **NLA Enabled** * **Security** * **NTLM** * **EID 4776** * The domain controller attempted to validate the credentials for an account * Suspicious Error Codes * *0xC0000064* * User name does not exist * *0xC0000070* * User logon from unauthorized workstation * *0xC0000072* * User logon to account disabled by administrator * *0xC000006F* * User logon outside authorized hours * *0xC0000413* * Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine * *0xC000018C* * The logon request failed because the trust relationship between the primary domain and the trusted domain failed * *0xC000015B* * The user has not been granted the requested logon type (aka logon right) at this machine * This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. * It shows successful and unsuccessful credential validation attempts. * Logon Account : the name of the account that had its credentials validated by the Authentication Package. * Source Workstation : The name of the computer from which the logon attempt originated. * **Kerberos** * **EID 4771** * Kerberos pre-authentication failed * Account Name = Source host * Client Address = Source IP. * Common Failure Codes * 0x6 * Bad user name, or new computer/user account has not replicated to DC yet * 0x7 * New computer account has not replicated yet or computer is pre-w2k * 0x9 * administrator should reset the password on the account * 0xC * Workstation restriction * 0x12 * Account disabled, expired, locked out, logon hours. * 0x17 * The user’s password has expired. * 0x18 * Usually means bad password * **TerminalServices-RemoteConnectionManager** * **EID 1149** * Remote Desktop Services: User authentication succeeded * An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP network connection * if username and domain are blank that can be due to the specification of RestrictedAdmin option * If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded. * **EID 261** * Listener X received a connection * Service listening for inbound connection requests over the RDP Protocol * **RemoteDesktopServices-RdpCoreTS** * **EID 140** * A connection from the client computer with an IP address of SOURCE IP failed because the user name or password is not correct. * Despite the event description it will only be recorded when the user name DOES NOT EXIST * For a username that exists use a correlation between EID 4625 & EID 131 * **EID 131** * The server accepted a new TCP connection from client SOURCE IP:PORT. * Records the source IP of every RDP authentication attempt * To be correlated with EID 4625 in order to identify the source IP (depending on the OS version) #### **NLA Disabled** * **Security** * **EID 4625** * An account failed to log on * Logon Type = 10 * Client Address = Source IP (depending on the OS version) * Account Name * **RemoteDesktopServices-RdpCoreTS** * **EID 140** * A connection from the client computer with an IP address of SOURCE IP failed because the user name or password is not correct. * Despite the event description it will only be recorded when the user name DOES NOT EXIST * For a username that exists use a correlation between EID 4625 & EID 131 * **EID 131** * The server accepted a new TCP connection from client SOURCE IP:PORT. * Records the source IP of every RDP authentication attempt * To be correlated with EID 4625 in order to identify the source IP (depending on the OS version) ### Other events #### **Security** * **EID 4778** * A session was reconnected to a Window Station * Account Name * Source IP * **EID 4779** * A session was disconnected from a Window Station * Account Name * Source IP * **EID 4688** * Process Creation * rdpclip.exe ### References