CYB3RSN0RLAX
TwitterGitHubLinkedin
Searchโ€ฆ
About Cyb3rSn0rlax
๐Ÿ›ก๏ธ SOC Engineering
๐Ÿงž
Building an Open SIEM From Scratch
๐Ÿ›ก
A Primer to Detection Engineering Dimensions in a SOC Universe
๐Ÿ˜บ
GitHub Projects
ELK4QRadar
Automating ELK Health Check
๐Ÿ’พ
DFIR
DFIR-01 : $MFT
DFIR-02 : Journal Forensics
DFIR-03: RDP Authentication Artifacts
โ˜ข๏ธ DEATH : Detection Engineering And Threat Hunting
๐Ÿ”‘
TA0006 : Credential Access
๐Ÿฆ˜
TA0008 : Lateral Movement
๐Ÿ”Ž
Misc
Infosec Game-Sense
Powered By GitBook
DFIR-03: RDP Authentication Artifacts
I created a Mindmap that represents different artifacts related to RDP authentication with NLA enabled or disabled to help collect and analyze forensic artifacts during DFIR engagements
You can find the original file in this awesome project called DFIRMindMaps maintained by Andrew Rathbun. Feel free to review and contribute.
RDP Authentication Artifacts MindMap

Successful Remote Interactive Logon

Security

    EID 4624
      An account was successfully logged on
        Logon Types
          10
            Successful User Account RemoteInteractive Logon
          12
            Successful User Account RemoteInteractive Logon Using Cached Credentials
          7
            Successful User Account RemoteInteractive Logon : Workstation was Unlocked
    EID 4776
      The domain controller attempted to validate the credentials for an account
        Error Code
          0x0
            Successful Logon
        This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
        It shows successful and unsuccessful credential validation attempts.
        Logon Account : the name of the account that had its credentials validated by the Authentication Package.
        Source Workstation : The name of the computer from which the logon attempt originated.

TerminalServices-RemoteConnectionManager

    EID 261
      Listener X received a connection
        Service listening for inbound connection requests over the RDP Protocol
    EID 1149
      Remote Desktop Services: User authentication succeeded
        An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP network connection
        If you specify the RestrictedAdmin option, the username and domain will be blank.
        If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.
    EID 1158
      Remote Desktop Services accepted a connection from IP address
        This will be available in the Administrative log records
        Will also display the source IP

TerminalServices-LocalSessionManager

    EID 41
      Begin session arbitration
        Provides the session ID for potential correlations with other events
    EID 42
      End session arbitration
        Provides the session ID for potential correlations with other events
    EID 21
      Remote Desktop Services: Session logon succeeded
        If the source network address is not LOCAL the IP is the source of the remote authentication
        Also provides the session ID
    EID 22
      Remote Desktop Services: Shell start notification received
        If the source network address is not LOCAL the IP is the source of the Remote authentication
        Also provides the session ID
    EID 25
      Remote Desktop Services: Session reconnection succeeded
        Also provides the session ID
        Also provides the source IP
    EID 24
      Remote Desktop Services: Session has been disconnecte
        Also provides the session ID
        Also provides the source IP

RemoteDesktopServices-RdpCoreTS

    EID 131
      The server accepted a new TCP connection from client SOURCE IP:PORT.

Unsuccessful Remote Interactive Logon

NLA Enabled

    Security
      NTLM
        EID 4776
          The domain controller attempted to validate the credentials for an account
            Suspicious Error Codes
              0xC0000064
                User name does not exist
              0xC0000070
                User logon from unauthorized workstation
              0xC0000072
                User logon to account disabled by administrator
              0xC000006F
                User logon outside authorized hours
              0xC0000413
                Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
              0xC000018C
                The logon request failed because the trust relationship between the primary domain and the trusted domain failed
              0xC000015B
                The user has not been granted the requested logon type (aka logon right) at this machine
            This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
            It shows successful and unsuccessful credential validation attempts.
            Logon Account : the name of the account that had its credentials validated by the Authentication Package.
            Source Workstation : The name of the computer from which the logon attempt originated.
      Kerberos
        EID 4771
          Kerberos pre-authentication failed
            Account Name = Source host
            Client Address = Source IP.
            Common Failure Codes
              0x6
                Bad user name, or new computer/user account has not replicated to DC yet
              0x7
                New computer account has not replicated yet or computer is pre-w2k
              0x9
                administrator should reset the password on the account
              0xC
                Workstation restriction
              0x12
                Account disabled, expired, locked out, logon hours.
              0x17
                The userโ€™s password has expired.
              0x18
                Usually means bad password
    TerminalServices-RemoteConnectionManager
      EID 1149
        Remote Desktop Services: User authentication succeeded
          An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP network connection
          if username and domain are blank that can be due to the specification of RestrictedAdmin option
          If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.
      EID 261
        Listener X received a connection
          Service listening for inbound connection requests over the RDP Protocol
    RemoteDesktopServices-RdpCoreTS
      EID 140
        A connection from the client computer with an IP address of SOURCE IP failed because the user name or password is not correct.
        Despite the event description it will only be recorded when the user name DOES NOT EXIST
        For a username that exists use a correlation between EID 4625 & EID 131
      EID 131
        The server accepted a new TCP connection from client SOURCE IP:PORT.
        Records the source IP of every RDP authentication attempt
        To be correlated with EID 4625 in order to identify the source IP (depending on the OS version)

NLA Disabled

    Security
      EID 4625
        An account failed to log on
          Logon Type = 10
          Client Address = Source IP (depending on the OS version)
          Account Name
    RemoteDesktopServices-RdpCoreTS
      EID 140
        A connection from the client computer with an IP address of SOURCE IP failed because the user name or password is not correct.
        Despite the event description it will only be recorded when the user name DOES NOT EXIST
        For a username that exists use a correlation between EID 4625 & EID 131
      EID 131
        The server accepted a new TCP connection from client SOURCE IP:PORT.
        Records the source IP of every RDP authentication attempt
        To be correlated with EID 4625 in order to identify the source IP (depending on the OS version)

Other events

Security

    EID 4778
      A session was reconnected to a Window Station
        Account Name
        Source IP
    EID 4779
      A session was disconnected from a Window Station
        Account Name
        Source IP
    EID 4688
      Process Creation
        rdpclip.exe

References

โ€‹https://purerds.org/remote-desktop-security/auditing-remote-desktop-services-logon-failures-1/โ€‹
โ€‹https://port139.hatenablog.com/entry/2019/03/23/091740โ€‹
โ€‹https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/โ€‹
โ€‹https://www.13cubed.com/downloads/rdp_flowchart.pdfโ€‹
โ€‹https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/โ€‹
DFIR - Previous
DFIR-02 : Journal Forensics
Next - โ˜ข๏ธ DEATH : Detection Engineering And Threat Hunting
TA0006 : Credential Access
Last modified 1mo ago
Copy link
Contents
Successful Remote Interactive Logon
Unsuccessful Remote Interactive Logon
Other events
References