RDP

Remote Desktop Protocol (RDP) Artifacts: RDP is a proprietary protocol developed by Microsoft which allows a user to connect to another computer over a network connection. Key artifacts include event logs, registry entries, and file system traces.
RDP-Related Processes:
- Source Host: The process mstsc.exe is launched when initiating an RDP connection.
- Destination Host: Processes like svchost.exe and termsrv.dll are involved in handling incoming RDP connections.
Important Registry Key:
- On the Source Host, the key NTUSER\Software\Microsoft\Terminal Server Client\Servers records recent RDP connections.
Event Log Analysis:
- Essential for tracking RDP sessions, with specific Event IDs (4624, 4778, 4779) providing detailed information about RDP activities.

Security Implications: Unauthorized RDP access is a common method for lateral movement in cyber attacks.
Log Centralization: Centralizing logs aids in quickly identifying malicious patterns across all endpoints.
Tool Usage: Attackers often use the same tools as network administrators for lateral movement.

Event IDs:
- 4624: Logs RDP logons (Logon Type 10 – Remote Interactive).
- 4778: Tracks RDP session reconnections.
- 4779: Records session disconnections.
Locations:
- Security Event Logs: %SYSTEMROOT%\System32\winevt\logs\Security.evtx.
- RDP-specific Logs:
  - Microsoft-Windows-RemoteDesktopServices-RDPCoreTS/Operational
  - Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Registry Entries:
- Recent Connections: NTUSER\Software\Microsoft\Terminal Server Client\Servers.
- RegRipper Plugin: rdphint for parsing RDP registry keys.
File System Traces:
- Default RDP Connection File: Default.rdp in the user profile.
- RDP Bitmap Cache Files: Fragments can be reassembled using bmc-tools.py.
- Jump List Data: Traces from mstsc.exe.

security.evtx:

Event ID 4648 – Logon specifying alternate credentials

Microsoft-WindowsTerminalServicesRDPClient%4Operational.evtx Event ID 1024 - Destination Host Name Event ID 1102 - Destination IP Address

Remote desktop destinations are tracked per-user
- NTUSER\Software Microsoft\Terminal Server Client\Servers
ShimCache – SYSTEM
- mstsc.exe Remote Desktop Client
BAM/DAM – SYSTEM – Last Time Executed
- mstsc.exe Remote Desktop Client
AmCache.hve – First Time Executed
- mstsc.exe
UserAssist – NTUSER.DAT
- mstsc.exe Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
RecentApps – NTUSER.DAT
- mstsc.exe Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentItems subkey tracks connection destinations and times

Event Log IDs: 4624 (Type 10), 4778, 4779.
Specialized Logs:
- Microsoft-Windows-TerminalServices-RDPClient/Operational for tracking attacker movement from the source system.

VNC:
- Event Log ID 4624 (Type 2 – Console logon).
- Application-specific logs and registry entries.
TeamViewer:
- Source System: TeamViewerX_Logfile.log in C:\Program Files\TeamViewer\VersionX.
- Target System: Connections_incoming.txt.

Active Directory Settings: “Deny log on through Remote Desktop Services” for sensitive accounts.
Host Level Settings: Disabling RDP service, configuring Windows Firewall to deny inbound RDP connections.

Event ID 4624:

Log Name: Security
Event ID: 4624
Logon Type: 10
Account Name: [Username]
Source Network Address: [IP Address]

Event ID 4778:

Log Name: Security
Event ID: 4778
Account Name: [Username]
Session Reconnected to: [Target Machine Name]

Event ID 4779:

Log Name: Security
Event ID: 4779
Account Name: [Username]
Session Disconnected from: [Target Machine Name]

Last updated 1 year ago

Was this helpful?