How to investigate RDP logs during an IR, Part-1
For initial access we know that attacker use phishing mail, external web application vulnerabilities, external or internal rdp access etc. During IR, we often need to analyze windows rdp logs to find out attacker successfully get in or not, what is their ip address, what user name they used so far; if we see something unusual in the system.
For example, if we see some abnormal files present in our windows server, then it is a clear indication that the attacker somehow get in to the server.
Using RDP tool system administrators log in to the remote system to manage the system. The same way attackers use this same tool for accessing their target system.
This writeup is going to be a bit long, but if you read and understand it; it will help you to find out who logged in the system and how.
Learning objectives:
- 1149 log id explanation.
- 4624 and 4625 explanation.
- Logon type explanation and summarize.
- Tested different environment.
- 21 and 22 log explanation.
Let’s get in:
First of all we will talk about event id 1149 which you will get by navigating Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Here I am investigating destination/remote server rdp (authentication related) logs.
In the log entry, “User” field represents the name of the user account (in this case avi) that initiated the RDP session. This is non-domain environment. More easily, someone wants to access the remote server using avi username. This account avi is present/created locally on the remote server.
Let’s break down the log message here.
Remote Desktop Services: User authentication succeeded:
Here there are two meaning of authentication succeeded. Authentication always got succeeded when someone provide correct credentials. But that does not mean user successfully logon to the remote server. Reason is here. Say in the destination server there are two users, avi and mahim. Now from a source machine someone already authenticated and logged in on the destination server remotely using avi’s credential. Now lets say another person initiates another rdp session using mahim’s correct username and password to log on the same destination server. Then the destination server will accept the authentication because authentication was correct. Then you will get the below logs.
But now the destination server will send a message to user avi who is currently logged in. Saying that another user name mahim wants to login in the same system. Would you like to allow him? If you allow then you will be disconnected. Now if the user avi allow that connection then user mahim can successfully logged in. Then you will get event id 4624 in the security logs. But if you deny the connection then still you will get 4624 for mahim user in security logs. So the fact here is, whether user avi allow or deny the connection, the authentication success message will always appear in this case because the credentials of mahim user was correctly provided.
In our case the avi user denied the request but see the above image, we still see user authentication succeeded because that person provided correct credentials for mahim user.
There are many reasons of this case. The one is explained above. Another one is, say user is not allowed to rdp if the user is not present in destination server rdp group. In that case the server will authenticate the credentials but not allow the user to successfully logon.
So key takeway is investigating event id 1149 authentication successful events let us know that someone has the correct credentials of the user. So change it if you thing this is under attack.
Domain: AVISLENOVOY740
Here domain is, in which domain the user is a member of. When no AD and domain is involved then it indicates the computer name of source machine. Here this is AVISLENOVOY740 the computer name of source machine.
Source Network Address: 192.168.88.1
What is the source ip of the source machine from where the request is coming to the destination server/machine.
So only investigating the above event id 1149 will not help. You need to investigate more.
Now lets talk about successful authentication event id 4624 and failed event id 4625 in the Security Logs and when it generates!!!
If any user successfully logs in to the destination server then under the security logs 4624 event id generates. See the time frame from figure 1. Now if we search 4624 events on the same time frame then we will get below log entry.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: DESKTOP-5NAO4GV\Avi
Account Name: Avi
Account Domain: DESKTOP-5NAO4GV
Logon ID: 0x474DAC4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: AVISLENOVOY740
Source Network Address: 192.168.88.1
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Now there is exception here. Remember the above case where someone provide the correct credentials of mahim user but for some reasons the user mahim failed to log in to the remote system.
As the credentials was correct for the mahim user, 4624 event id will also generate for that reason.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: DESKTOP-5NAO4GV\mahim
Account Name: mahim
Account Domain: DESKTOP-5NAO4GV
Logon ID: 0x9A0A5D0
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: AVISLENOVOY740
Source Network Address: 192.168.88.1
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.See the event id shows An account successfully logged on but reality is mahim user did not successfully logged on the system but the system thinks as the credentials was correct, so user logged on successfully. Thats why you get this event. But now the big question is how we can actually sure that the user actually logged on the system and see the desktop icons? Well the answer is in the last.
Now allow me to discuss the different logon types (Please note we are discussing about interactive logon, not shell logon). There are several logon type generates like logon type 2, 3, 5, 7, 10 (most important are 3, 7 and 10)
When 4624 and 4625 generates with proper logon type under Security Logs:
The following is tested in my home lab network.
- When you rdp to a system remotely after it is just booted up and provide correct pass then logon type 3 and 7 generates with 4624.
- When you only unlock the system with correct password then logon type 7 generates with 4624. No 3 generates that time.
- When another user try to login with correct password when one user is already connected then logon type 3 and 10 generates with 4624.
- When you rdp to a system remotely after it is just booted up and provide wrong pass then logon type 3 generates with 4625.
- When you unlock the system and provide wrong pass then logon type 7 generates with 4625.
The following is tested in the AD domain environment.
- When you rdp to a system remotely after it is just booted up and provide correct pass then logon type 3 and 10 generates with 4624.
- When you rdp to a system remotely after it is just booted up and provide wrong pass then logon type 3 generates with 4625.
- When you only unlock the system with correct password then logon type 7 generates with 4624. No 3 generates that time.
- When you try to unlock the system and provide wrong pass then logon type 7 generates with 4625.
- After providing wrong pass, then if you try to login using correct pass then logon type 3 and 7 generates with 4624.
The below is an example of a log with logon type 7.
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-5NAO4GV$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 7
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: DESKTOP-5NAO4GV\Avi
Account Name: Avi
Account Domain: DESKTOP-5NAO4GV
Logon ID: 0xAFE8616
Linked Logon ID: 0xAFE85DB
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x628
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: DESKTOP-5NAO4GV
Source Network Address: 192.168.88.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.The below is an example of a log with logon type 10.
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-5NAO4GV$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 10
Restricted Admin Mode: No
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: DESKTOP-5NAO4GV\mahim
Account Name: mahim
Account Domain: DESKTOP-5NAO4GV
Logon ID: 0xB0F4AA6
Linked Logon ID: 0xB0F4A4C
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x628
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: DESKTOP-5NAO4GV
Source Network Address: 192.168.88.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.In logon type 7 and 10, System account using the computer account and domain to create the logon session in the system.
Now let’s discuss what are those logon types:
3 for network logon. When you login to your host/physical machine then logon type 3 will not generate. Besides when you login your vm via vmware console then also logon type 3 will not generate.
7 for unlock system logon.
10 for rdp interactive logon.
Summarize logon types:
When you see logon type 3 that means, there you get the information such as who is coming (source machine name) and whats his source ip from the Network Information. And which user he wants to access on the target machine and target machine name from the New Logon.
When you see logon type 7 that means, now in the Network Information you will see destination server name and source server/machine ip. And New Logon is same as above. In Subject part, Sytem account is calling the computer account to create the logon session.
When you see logon type 10 that means, now in the Network Information you will see destination server name and source server/machine ip. And New Logon is same as above. Also, Subject part is same as above.
Now let’s see logs from Microsoft-Windows-TerminalServices-LocalSessionManager to find out user actually logged on or not.
This is another log from my other system.
The above two logs event id 21, 22 on the same time ensures that user successfully logged in and see the desktop icon. Shell start notification received meaning user see the desktop icon (GUI). I have test the very first example which is present in this blog. For mahim user you will get 4624 authentication success event in security logs but here you will not get any 21, 22 event id for mahim user because mahim user actually did not able to logged in and see the desktop icon. The both event id occurs during the system reboot time login state or any user’s first time login. Unlock or system is up and you are rdp it 2nd time, then it will not generate. Also source network address LOCAL means both the source and destination ip is in same subnet/network.
I am very sorry for taking this writeup to long but I had to, to explain the whole scenario.
Thanks. I hope this is informative for you. Please Subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
