Scribd
Upload
60 views1 page

RDP Dfir Ad

Uploaded by

lekshmanp1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
60 views1 page

RDP Dfir Ad

Uploaded by

lekshmanp1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

If NLA is enabled a 4624 event with logon type 3

will be logged before one of these logon types

Successful User Account RemoteInteractive


10
Logon

Successful User Account RemoteInteractive


EID 4624 An account was successfully logged on Logon Types 12
Logon Using Cached Credentials

Successful User Account RemoteInteractive


7
Logon : Workstation was Unlocked

Security Error Code 0x0 Successful Logon

This event occurs only on the computer that is authoritative for the
provided credentials. For domain accounts, the domain controller is authoritative.
For local accounts, the local computer is authoritative.
The domain controller attempted to validate
EID 4776 It shows successful and unsuccessful credential validation attempts.
the credentials for an account

Logon Account : the name of the account that had its credentials validated by
the Authentication Package.

Source Workstation : The name of the computer from which the logon attempt
originated.

Service listening for inbound connection


EID 261 Listener X received a connection
requests over the RDP Protocol

An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP
network connection
Remote Desktop Services: User
TerminalServices-RemoteConnectionManager EID 1149 If you specify the RestrictedAdmin option, the username and domain will be blank.
authentication succeeded

If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.

This will be available in the Administrative log records


Successful Remote Interactive EID 1158
Remote Desktop Services accepted a
connection from IP address
Logon Will also display the source IP

EID 41 Begin session arbitration Provides the session ID for potential correlations with other events

EID 42 End session arbitration Provides the session ID for potential correlations with other events

If the source network address is not LOCAL the IP is the source of the
remote authentication
EID 21 Remote Desktop Services: Session logon succeeded
Also provides the session ID

If the source network address is not LOCAL the IP is the source of the
TerminalServices-LocalSessionManager
Remote authentication
EID 22 Remote Desktop Services: Shell start notification received
Also provides the session ID

Also provides the session ID


EID 25 Remote Desktop Services: Session reconnection succeeded
Also provides the source IP

Also provides the session ID


EID 24 Remote Desktop Services: Session has been disconnecte
Also provides the source IP

The server accepted a new TCP connection


RemoteDesktopServices-RdpCoreTS EID 131
from client SOURCE IP:PORT.

0xC0000064 User name does not exist

0xC0000070 User logon from unauthorized workstation

0xC0000072 User logon to account disabled by administrator

0xC000006F User logon outside authorized hours


Suspicious Error Codes
Logon Failure: The machine you are logging onto is protected by an authentication
0xC0000413
firewall. The specified account is not allowed to authenticate to the machine

The logon request failed because the trust relationship between the primary domain
0xC000018C
and the trusted domain failed

0xC000015B The user has not been granted the requested logon type (aka logon right) at this machine

The domain controller attempted to validate This event occurs only on the computer that is authoritative for the
NTLM EID 4776
the credentials for an account provided credentials. For domain accounts, the domain controller is authoritative.
For local accounts, the local computer is authoritative.

It shows successful and unsuccessful credential validation attempts.

Logon Account : the name of the account that had its credentials validated by
the Authentication Package. In both cases will be followed by EID
4625 with Logon Type 3 due to NLA
Security Source Workstation : The name of the computer from which the logon attempt enablement
originated.

Account Name = Source host

Client Address = Source IP.

Bad user name, or new computer/user


0x6
account has not replicated to DC yet
Kerberos EID 4771 Kerberos pre-authentication failed
New computer account has not replicated
0x7
yet or computer is pre-w2k

administrator should reset the password on


0x9
the account
Common Failure Codes
0xC Workstation restriction

Account disabled, expired, locked out, logon


0x12
RDP DFIR hours.

0x17 The user’s password has expired.


NLA Enabled
0x18 Usually means bad password

Only logged during unsuccessful remote interactive authentications for "Windows Server 2008" and "Windows SBS Server 2011"

An Event ID 1149 DOES NOT indicate successful authentication to a target, simply a successful RDP
network connection
Remote Desktop Services: User
EID 1149 if username and domain are blank that can be due to the specification of RestrictedAdmin option
authentication succeeded

TerminalServices-RemoteConnectionManager If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.

EID 261 Listener X received a connection Service listening for inbound connection requests over the RDP Protocol

A connection from the client computer with an IP address of SOURCE IP failed


because the user name or password is not correct.

EID 140
Despite the event description it will only be recorded when the user name DOES NOT EXIST
Unsuccessful Remote
Interactive Logon For a username that exists use a correlation between EID 4625 & EID 131
RemoteDesktopServices-RdpCoreTS
The server accepted a new TCP connection
from client SOURCE IP:PORT.

EID 131 Records the source IP of every RDP authentication attempt

To be correlated with EID 4625 in order to identify the source IP (depending on the OS version)

RDP Security Layer must be set to RDP otherwise all pertinent details of the logon failure will not be recorded,
nor will you even be able to tell that the logon attempt came over RDP

Logon Type = 10

Security EID 4625 An account failed to log on Client Address = Source IP (depending on the OS version)

Account Name

A connection from the client computer with an IP address of SOURCE IP failed


NLA Disabled because the user name or password is not correct.

EID 140
Despite the event description it will only be recorded when the user name DOES NOT EXIST

For a username that exists use a correlation between EID 4625 & EID 131
RemoteDesktopServices-RdpCoreTS
The server accepted a new TCP connection
from client SOURCE IP:PORT.

EID 131 Records the source IP of every RDP authentication attempt

To be correlated with EID 4625 in order to identify the source IP (depending on the OS version)

Account Name
EID 4778 A session was reconnected to a Window Station
Source IP

Account Name
Others Security
EID 4779 A session was disconnected from a Window Station
Source IP

EID 4688 Process Creation rdpclip.exe

https://purerds.org/remote-desktop-security/auditing-remote-desktop-services-logon-failures-1/

https://port139.hatenablog.com/entry/2019/03/23/091740

References https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/

https://www.13cubed.com/downloads/rdp_flowchart.pdf

https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/

You might also like