top of page
Search
Writer's pictureIdan Buller
Nov 14, 2020

RDP Forensics - Logging, Detection and Forensics



Intro


RDP is an extremely popular protocol for remote access to Windows machines. In fact, there are more than 4.5 million RDP servers exposed to the internet alone, and many more that are accessible from within internal networks.


The importance of knowing and understanding RDP has never been greater – especially considering the recent critical vulnerabilities that were found in the protocol. It is now an essential knowledge that is crucial for everyone in the security industry. RDP is a complex protocol with many extensions and the potential of finding new critical bugs is still high. Therefore, the security industry needs to educate itself about it.


So, what vulnerabilities I am talking about?


  • Bluekeep (CVE-2019-0708) - remote code execution vulnerability that can be exploited when an unauthenticated attacker connects to a target system using RDP and then sends specially crafted requests. This vulnerability exists pre-authentication and requires no user interaction. An attacker who successfully exploits this vulnerability could then execute arbitrary code on the target system.

  • RD Gateway (CVE 2020 0612) - A denial of service vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RD Gateway service on the target system to stop responding. To exploit this vulnerability, an attacker would need to run a specially crafted application against a server that provides RD Gateway services.

  • Remote Desktop Client Remote Code Execution Vulnerability (CVE 2020 0611) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Windows event viewer monitors multiple RDP events which allow us to explore things like –

  • Successful Logon

  • Unsuccessful Logon

  • Session Disconnect (passive / active)

  • Session Reconnect

How we are going to do that?


Scenarios & The Event ID

One of the attacker’s techniques to cover his tracks will be to delete the event logs, so this is an event we should monitor by itself.

As for windows event id’s, this is the endless loop the attacker is in –

  1. The attacker performing malicious activity.

  2. For deleting his footprints, he deletes the event id he created on the system.

  3. This activity creates an event id by itself.

This endless loop creates a fine security system.



So, as we already know, any activity in windows logged inside an event id, therefore, I will present several flows that are worth paying attention to. These flows describe the activity logged in the system while the following events accruing in the operating system:

  1. Successful RDP Logon

  2. Unsuccessful RDP Logon

  3. RDP Session Disconnect (windows close by the user)

  4. RDP Session Disconnect (Start -> Disconnect)

  5. RDP Session Reconnect

  6. RDP Session Logoff

We can find all the events described below with the help of Windows Event Viewer, which is responsible for displaying the data logged inside the operating system and differentiate the information with event id.



To display a specific event id, we can filter by clicking ‘Create Custom View’ on the right side of the software, it will pop a window which is capable of filtering the events. We will choose ‘By log’, ‘Event logs’ and mark all the necessary. Then, we can type the wanted id to view all the events.



Bonus:

If we are performing remote forensics, we can export the event logs and import them as a different view on our event viewer.


Also, we can find the exact .EVTX file in the path – 

C:\Windows\System32\winevt\Logs

Export:



Import:



 

Successful RDP Logon:

Event id: 1149
Description:  User authentication succeeded.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
Event id: 4624
Description: An account was successfully logged on.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
Event id: 21
Description: Remote Desktop Services: Session login succeeded.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 22
Description: Remote Desktop Services: Shell start notification received.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

 

Unsuccessful RDP Logon:

Event id: 1149
Description:  User authentication succeeded (Network connection, which occurs prior to the user authentication).
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
Event id: 4625
Description: An account failed to log on.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx

 

RDP Session Disconnect (windows close by the user):

Event id: 24
Description:  Remote Desktop Services: Session has been disconnected.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 40
Description: Session XXX has been disconnected, reason code YYY.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 4779
Description: A session was disconnected from a windows station.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
Event id: 4634
Description: An account was logged off.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx

 

RDP Session Disconnect (Start -> Disconnect):

Event id: 24
Description:  Remote Desktop Services: Session has been disconnected.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 39
Description: Session XXX has been disconnected, by session YYY.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 40
Description: Session XXX has been disconnected, reason code YYY.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 4779
Description: A session was disconnected from a window station.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
Event id: 4634
Description: An account was logged off.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx

 

RDP Session Reconnect:

Event id: 1149
Description:  User authentication succeeded.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
Event id: 4624
Description: An account was successfully logged on.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
Event id: 25
Description: Remote Desktop Services: Session reconnection succeeded.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 40
Description: Session XXX has been disconnected, reason code YYY.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 4778
Description: A session was reconnected from a window station.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx

 

RDP Session Logoff :

Event id: 23
Description:  Remote Desktop Services: Session logoff disconnected.
Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Event id: 4634
Description: An account was logged off.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
Event id: 4647
Description: User-initiated logoff.
Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
Event id: 9009
Description: The Desktop Window Manager has exited with code XXX.
Path: %SystemRoot%\System32\Winevt\Logs\System.evtx

 

Cache & Snippets


When we use mstsc.exe, the utility provides us the ability to perform Remote Desktop Connection, the RDP cache is stored in a .BIN files inside this path – 

C:\Users\<username >\AppData\Local\Microsoft\Terminal Server Client\Cache

The purpose of this cache is to improve performance and save parts of the RDP screen That usually does not change. In order to do that, windows take little screenshots and save them in those files. In a forensics analyst eye, we may use it to find critical evidence with the best tool – our eyes!

In fact, there is one tool we need to use, to extract the little screenshots from the .BIN file. There are several tools that can help us with this, I am going to use (https://github.com/ANSSI-FR/bmc-tools).


This tool need only 2 arguments – source and destination folder –


Now, we can explore multiple screenshots taken by the client –

According to the image above, we already can see the PowerShell icon, which indicates for PowerShell commands execution.

According to the image above, we can see Password guessing attempts.

According to the image above, we can see the attacker managed to gain Administrator privileges and tries to get the last hotfixes.



Conclusions

To sum up, RDP forensics might provide string evidence to our Digital Forensics investigation, indeed, RDP is one of the most vulnerable windows services and attackers will be happy to use it in the attack chain.

With the help of the event id we were monitoring and the tools we used to extract the relevant data, we might receive a clear point of view about the scenario.

3,612 views0 comments

Recent Posts

See All

Comments

bottom of page