RDP

Key Points

  1. Remote Desktop Protocol (RDP) Artifacts: RDP is a proprietary protocol developed by Microsoft which allows a user to connect to another computer over a network connection. Key artifacts include event logs, registry entries, and file system traces.

  2. RDP-Related Processes:

    • Source Host: The process mstsc.exe is launched when initiating an RDP connection.

    • Destination Host: Processes like svchost.exe and termsrv.dll are involved in handling incoming RDP connections.

  3. Important Registry Key:

    • On the Source Host, the key NTUSER\Software\Microsoft\Terminal Server Client\Servers records recent RDP connections.

  4. Event Log Analysis:

    • Essential for tracking RDP sessions, with specific Event IDs (4624, 4778, 4779) providing detailed information about RDP activities.

Considerations

  • Security Implications: Unauthorized RDP access is a common method for lateral movement in cyber attacks.

  • Log Centralization: Centralizing logs aids in quickly identifying malicious patterns across all endpoints.

  • Tool Usage: Attackers often use the same tools as network administrators for lateral movement.

Technical Explanations

Event Log Tracking

  • Event IDs:

    • 4624: Logs RDP logons (Logon Type 10 – Remote Interactive).

    • 4778: Tracks RDP session reconnections.

    • 4779: Records session disconnections.

  • Locations:

    • Security Event Logs: %SYSTEMROOT%\System32\winevt\logs\Security.evtx.

    • RDP-specific Logs:

      • Microsoft-Windows-RemoteDesktopServices-RDPCoreTS/Operational

      • Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

      • Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

Source Host Artifacts

  • Registry Entries:

    • Recent Connections: NTUSER\Software\Microsoft\Terminal Server Client\Servers.

    • RegRipper Plugin: rdphint for parsing RDP registry keys.

  • File System Traces:

    • Default RDP Connection File: Default.rdp in the user profile.

    • RDP Bitmap Cache Files: Fragments can be reassembled using bmc-tools.py.

    • Jump List Data: Traces from mstsc.exe.

security.evtx:

Event ID 4648 – Logon specifying alternate credentials

  • Current logged-on User Name

  • Alternate User Name

  • Destination Host Name/IP

  • Process Name

Microsoft-WindowsTerminalServicesRDPClient%4Operational.evtx Event ID 1024 - Destination Host Name Event ID 1102 - Destination IP Address

Destination Host Artifacts

  • Event Log IDs: 4624 (Type 10), 4778, 4779.

  • Specialized Logs:

    • Microsoft-Windows-TerminalServices-RDPClient/Operational for tracking attacker movement from the source system.

Alternate Remote Access Tools

  • VNC:

    • Event Log ID 4624 (Type 2 – Console logon).

    • Application-specific logs and registry entries.

  • TeamViewer:

    • Source System: TeamViewerX_Logfile.log in C:\Program Files\TeamViewer\VersionX.

    • Target System: Connections_incoming.txt.

Security Settings

  • Active Directory Settings: “Deny log on through Remote Desktop Services” for sensitive accounts.

  • Host Level Settings: Disabling RDP service, configuring Windows Firewall to deny inbound RDP connections.

Example Logs

  • Event ID 4624:

    Log Name: Security
Event ID: 4624
Logon Type: 10
Account Name: [Username]
Source Network Address: [IP Address]

  • Event ID 4778:

    Log Name: Security
Event ID: 4778
Account Name: [Username]
Session Reconnected to: [Target Machine Name]

  • Event ID 4779:

    Log Name: Security
Event ID: 4779
Account Name: [Username]
Session Disconnected from: [Target Machine Name]

Example Command Lines

  • Starting RDP Session:

    mstsc.exe /v:[TargetHost]

  • Using VNC:

    vncviewer.exe [TargetHost]

  • Launching TeamViewer:

    TeamViewer.exe
PreviousEvent ID: 4799NextSource System Artifacts - Quick Reference

Last updated

Was this helpful?