You can now be certain that this was the destination machine.įinally, pay attention to the subject and account name under Account Whose Credentials Were Used. That is exactly why it is important to correlate logs so that you can tie events from the destination machine to this time frame and verify the accuracy of the log. Second, which you’ve probably noticed, there is nothing in this event to signify that this authentication was for an RDP connection. Most of the time, they will show as targeting local host as credentials were used locally, or other systems if credentials are used to access or connect to resources. There are a few things to keep in mind when looking at 4648 events.įirst, they get logged a lot-whenever explicit credentials are used. Target Server is the machine being connected to.The Account Whose Credentials Were Used section is self-explanatory: that is the account used when authenticating with the RDP Client to connect the remote machine.The Subject section is the account logged into the source PC.The important information we can get from this event are in the top three sections. When that authentication is used for a remote system it looks something like this: In the security log, an event gets logged with ID 4648 whenever an authorization takes place using explicit credentials. These events help verify other logged events on the destination machines and can help identify other systems that may have been compromised. There will be less there to see here, but there are events created when using the RDP client to connect to another computer, which can be very important. This list is by no means all-inclusive-there are others too-but this example will give us a good cross-section of what these activities will leave for additional or supporting evidence. TerminalServices-LocalSessionManager/Operational RemoteDesktopServices-RDPCoreTS /Operational TerminalServices-RemoteConnectionManager/Operational Let’s consider the following logs and events: SOURCE PC: Log Events and ExamplesĪs digital forensic investigators, we need to find the evidence we’re interested in and ensure we are not overlooking information that could also be available in the event logs, even after standard security log wipes. RDP activities, like most activities, will leave events in several different logs as action is taken and various processes are involved. It is becoming more and more common for bad actors to manipulate or clear the security event logs on compromised machines, and sometimes RDP sessions don’t even register as just a type 10 logon, depending on the circumstance. However, that is not at all always a surefire way to detect if such activity has occurred. Perhaps the quickest and easiest way to do that is to check the RDP connection security event logs on machines known to have been compromised for events with ID 4624 or 4625 and with a type 10 logon. Investigating lateral movement activities involving remote desktop protocol (RDP) is a common aspect when responding to an incident where nefarious activities have occurred within a network.
0 kommentar(er)
