Thursday, October 25, 2018

Daily Blog #518: Forensic Lunch Test Kitchen 10/25/18

Hello Reader,
               Tonight's test kitchen continued last nights RDP focused testing. Tonight we went through the event logs using the TZWork's tool evtwalk to find all event logs that referenced our host ip addresses we used in the rdp connections along with our hostnames. We also manually turned off NLA to see what it would do to our new Type 3 4624 events and lastly we tested Microsofts RDP client for OSX.

Here is what we learned:

  • We didn't find any new logs on the rdp server side than what we expected
  • We did find that connections we made out via rdp and smb are logged in Windows 10 by default but not Windows 7
  • We found out that turning off NLA by editing the rdp connection file will prevent the type 3 events from occuring during the rdp login
  • We found out that Microsoft RDP client for OSX is also doing NLA by default but isn't passing in the workstation name in the type 3 4624 event

You can watch the video here:

No comments:

Post a Comment