Daily Blog #517: Forensic Lunch Test Kitchen 10/24/18 - Digging into RDP Events

Digging into RDP Events by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
         Another test kitchen with a lot of you tuning in live with a very short notice! Thanks to everyone who made the live broadcast, it really does make the whole thing way more fun for me when all of you get involved. Tonight we continued digging into rdp events looking to understand when and how remote client names got stored when a system rdp's into another computer.

We learned that:

  • When a windows native rdp client connects to a rdp server, even if NLA is not enabled by default, that it will attempt NLA (Network Layer Authentication)
  • That since it attempts NLA before the type 10 4624 event that only contains the ip address of the rdp client you will also get a type 3 4624 event both in the system log. The Type 3 4624 event will contain the rdp client's hostname and ip address. All of these events are in the security log. 
  • That the type 3 and type 10 logins will have their own loginid's to track their session and they will end very closely to each other when the session ends
  • That the linux rdesktop command has the ability to pass a rdp client hostname but it doesn't appear to be accepted
  • That the linux rdesktop command will also start with a type 3 4624 event but it does not appear that it stores the ip address or the hostname of the rdp client
Tomorrow night we will parse through all the logs using either Tzworks evtwalk tool or our eventmonkey tool (depending on what I have time to setup) and look to see if any other log got our ip address or hostname

You can watch the video here:

Also Read: Daily Blog #516

Post a Comment