Early in my DFIR career, I struggled with understanding how exactly to identify and understand all the RDP-related Windows Event Logs. I would read a few things here and there, think I understood it, then move on to the next case – repeating the same loop over and over again and never really acquiring full comprehension. That is until one day I finally got tired of repeating the same questions/research and just made a cheat sheet laying out the most common RDP-related Event ID’s that I’d encountered along with their relevance and descriptions. From that point on, as I sporadically encountered related questions/confusion from others in the community, I would simply refer to my cheat sheet to provide an immediate response or clarification – saving them from the hours of repeated questioning and research I had already done. Show
However, it seems the community continues to encounter the same struggle in identifying and understanding RDP-related Windows Event Log ID’s, where each is located, and even what some of them mean (no thanks to some of Microsoft’s very confusing documentation and descriptions). As such, I recently set out to try and find an easy route to the solution for this problem (i.e. hopefully find a single website to point to with all this information). Though I’ve found parts of the answer in posts here and there, each of them were missing parts of the puzzle (either missing ID’s, descriptions, explanations, and/or overall how they fit together in a chronological fashion). I will say JPCERTCC did an awesome job capturing a ton of information here, I just can’t quite decipher or discern the clear order of events and some appear out of order (at least how I have encountered them, but maybe I’m reading it wrong…). At any rate, as they say, necessity is the mother of invention. So, I decided to create a blog post that I hope can serve as a succinct one-stop shop for understanding and identifying the most commonly encountered and empirically useful* RDP-related Windows Event Log ID’s/entries for tracking and investigating RDP usage on a Windows Vista+ endpoint. The Windows Event ID’s in the XP days were different than those in Vista+ Operating Systems. So, I decided to leave those out for now, but perhaps I will add them in the future. *Yes, there are Event ID’s like 1146, 1147, and 1148 which look great in Microsoft’s documentation as a very useful source of information. However, I’ve yet to see (m)any of these commonly occurring in the wild. I debated back and forth on the best way to sort/group these. Ultimately, in truly pragmatic fashion, I figured it would likely be most useful to sort them in the (chronological) order in which you might expect to find them. Ergo, the flow/section breakup is the following: Network Connection->-> Authentication->-> Logon->-> Session Disconnect/Reconnect->-> LogoffNetwork ConnectionThis section covers the first indications of an RDP logon – the initial network connection to a machine. Log: Microsoft-Windows-Terminal-Services-RemoteConnectionManager/OperationalLog Location: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx Event ID: 1149 AuthenticationThis section covers the authentication portion of the RDP connection – whether or not the logon is allowed based on success/failure of username/password combo. Log: SecurityLog Location: %SystemRoot%\System32\Winevt\Logs\Security.evtx Event ID: 4624 Event
ID: 4625 #ProTip(s): 1) When NLA is enabled, a failed RDP logon (due to wrong username, password, etc.) will result in a 4625 Type 3 failure. When NLA is not enabled, you *should* see a 4625 Type 10 failure. 2) Both of these entries also contain a “SubjectLogonID” or a “TargetLogonID” field. This ID is unique for each logon session and is also present in various other Event Log entries, making it theoretically useful for tracking/delineating a specific user’s activities, particularly on systems allowing multiple logged on users. However, do take note that a unique *LogonID is assigned for each session, meaning if a user connects, then disconnects (without logging out, thus simply ending the current session), then reconnects (i.e. starting a new session), they will be assigned a different unique *LogonID. All to say that a single user(name) may have multiple unique *LogonID’s to track depending how many sessions they’ve instantiated, not to mention Windows makes it very confusing sometimes with multiple 4624’s with different *LogonID’s for the same session. So, YMMV. Additional References: David Cowen’s Forensic Lunch Test Kitchen – RDP Testing (1 , 2 ,
3) LogonThis section covers the ensuing (post-authentication) events that occur upon successful authentication and logon to the system. Log: Microsoft-Windows-TerminalServices-LocalSessionManager/OperationalLog Location: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx Event ID: 21 Event ID: 22 Session Disconnect/ReconnectThis section covers the various session disconnect/reconnect events that might occur due to either system (idle), network (network disconnect), or purposeful user (X out of the RDP window, Start -> Disconnect, Kicked off by another user, etc.) action. Log: Microsoft-Windows-TerminalServices-LocalSessionManager/OperationalLog Location: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx Event ID: 24 Event ID: 25 Event ID: 39 Event ID: 40 Log: SecurityLog Location: %SystemRoot%\System32\Winevt\Logs\Security.evtx Event ID: 4778 Event ID:
4779 LogoffThis section covers the events that occur after a purposeful (Start -> Disconnect, Start -> Logoff) logoff. Log: Microsoft-Windows-TerminalServices-LocalSessionManager/OperationalLog Location: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx Event ID: 23 Log: SecurityLog Location: %SystemRoot%\System32\Winevt\Logs\Security.evtx Event
ID: 4634 Event ID:
4647 Log: SystemLog Location: %SystemRoot%\System32\Winevt\Logs\System.evtx Event ID: 9009 Wrap-UpHopefully that provides a little better insight into some of the most common and (IME) most empirically useful RDP-related Event logs, when/where you might encounter them, what they mean, what they look like, and (most importantly) how they all fit together. As a result of this post, Richard Davis (@richarddavisg, @13CubedDFIR) of 13Cubed on YouTube has also put together an RDP flow chart that is very helpful in visualizing the expected (though, not guaranteed) flow of these logs. Feel free to check out his short video walkthrough as well. Which tasks can you perform with the registry Editor?You can use Registry Editor to do the following actions:. Locate a subtree, key, subkey, or value.. Add a subkey or a value.. Change a value.. Delete a subkey or a value.. Rename a subkey or a value.. Which of the following is the name of the virtual memory file in Windows?Windows 10 virtual memory exists as a physical, hidden file on the hard disk called the page file: pagefile. sys.
Which of the following tool allows you to remove an application in Windows 10?Use the uninstaller built into Windows 11, and Windows 10.. Open the Start Menu.. Click Settings.. Click Apps.. Select Apps & features from the left-hand side menu.. Select the Program or App that you want to uninstall from the list that appears.. Click the uninstall button that shows under the selected program or app.. Which tab of Internet Options dialog box will allow you to configure LAN settings?In Internet Explorer, open the Tools menu, and then select Internet Options. On the Connections tab, select LAN Settings. In the Local Area Network Settings dialog box, select the Use a proxy server for your LAN settings check box.
|