Okay, so this post name might not be as exciting sounding as “malware for dummies” or “How to detect and stop a nation state”, but I promise it’s important and something all DFIR analysts should know! Let’s discuss something you will likely see in nearly EVERY intrusion. Remote Desktop Protocol (RDP) abuse for lateral movement. Now, this isn’t an exploit or some zero-day. It’s literally just using a tool that you, your admins or possibly general users use every day. Which is what makes it so effective!
This will be a two-part blog, with this one focusing heavily on the event logs and IDs generated for investigating RDP. The second part will focus on the artifacts generated.
The Rundown:
If you use RDP, Threat Actors (TA) will likely use this too
If you don’t use RDP, TA will still probably use this
RDP is native to Windows
Other Remote Management and Monitoring (RMM) tools may use this protocol
There are artifacts that will show incoming and outgoing RDP connections
There are logs recorded that will show both incoming and outgoing RDP connections
Each one of the event logs mentioned in this post can be erased by a malicious actor or roll-over
The logs showing RDP activity can be easily cleared (log forwarding!)
RDP can be restricted based on users and groups as well as supporting multi-factor authentication (MFA)
RDP generates an “interactive” session, meaning credentials are stored in memory and could be stolen by a TA
There are built-in Windows Controls that can further harden an RDP session
RDP may also be referred to as Terminal Services or MSTSC (Microsoft Terminal Server Client)
Windows may record hands-on keyboard logons within certain ‘RDP’ dedicated logs. Be cautious of immediately jumping to an RDP connection without further correlation or reviewing the source IP address and logon type.
It’s important to be familiar with your logon types. For a refresher, review the Microsoft article here: https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
Okay, so we’re all probably aware of what RDP is but if you’ve read my previous blogs, you know I like to target my blog posts to all audiences, so let’s very briefly describe what RDP is. RDP or Remote Desktop Protocol is a protocol that runs over port ‘3389’ and allows you to connect from one system to another over a remote connection. RDP is considered an “interactive” session, meaning once connected, you will be shown the desktop and graphical user interface (GUI) access. If you’d like to learn more, check out some of these resources:
So let's get into the nitty gritty of it now! As stated above, RDP is often seen in nearly every intrusion in some way shape or form. This can be the TA establishing an RDP tunnel using a tool such as Ngrok, creating a user and adding them to the RDP group, or use an existing compromised account to RDP around the network! Something you might see too is the compromise of a single local Administrator account that is then used to RDP around the network. How can this be done if it’s a local administrator account? PASSWORD REUSE! If your environment is using the local Administrator account and this is enabled on every system with the same password, a TA can and will use this username and password pair to connect to nearly every host. Even if you have RDP disabled for certain users, you better believe the TA will likely attempt to add their compromised/created account into the RDP group! This post won’t discuss detection rules necessarily, but you can see why it’s important to have a baseline of your environment and log forwarding to detect when users are added to a privileged group or modify firewall rules to allow port ‘3389’.
Let’s discuss a few items here when it comes to investigating RDP movement. As mentioned above, an RDP connection creates numerous artifacts and log events, making it fairly simple to determine if RDP was used and from where. You’ll see this in the Windows Event logs, firewall logs, and Windows artifacts such as userassist, prefetch, and others, which we’ll discuss below. Keep in mind that different artifacts will be on the source system vs the target system. One will show outbound RDP connections, which we’ll call the “source” and one will show incoming RDP connections, which is the “target”. Note that as mentioned in “The Rundown”, RDP may be referred to as Terminal Services.
Note: Depending on where/how you view the event logs, the path may be different. For example, browsing to the event logs within C:\Windows\System32\Winevt\logs may be different than browsing to the event log via the Windows Event Viewer and using the Event Viewer snap-in. In that case, the majority of the below logs will likely be within Applications and Services Logs > Microsoft > Windows within the Event Viewer. The majority of these will be "operational" event logs.
Windows Event Logs
Important Event Logs recording RDP activity
Security
TerminalServices - RDPClient
TerminialServices - LocalSessionManager
Remote Desktop Services - RDP Core TS
TerminalServices - RemoteConnectionManager
Sysmon
Event IDs associated with RDP
4624
Security Event Log (Target system) - 4624 may be event IDs you’re familiar with. Essentially, these are just logon events. So, when a TA establishes an RDP connection, as you can imagine, this will generate a 4624 event. What you’ll often see for RDP specifically, are type 10 and type 7 logons. A type 10 is an RDP connection and a type 7 is a reconnect/unlock, depending on the connection. As mentioned earlier, if you need a refresher on logon types, review the Microsoft article here. Be sure you’re also looking for type 7 connections, as these may be recorded when a TA uses an existing RDP connection/session. Note that the Security event log can roll over very quickly depending on the system.
4778
Security Event Log (Target system) - Similar to type 7 logon events described above, 4778 event IDs are generated when a session is reconnected via Terminal Services. Although you’ll likely be able to correlate this event ID with others, it still a great event ID to log and hunt for regarding RDP.
4779
Security Event Log (Target system) - This correlates directly with the above event ID (4778) and is recorded when a user disconnects from a terminal services session.
4648
Security Event Log (Source system) - An event generated known as an “explicit logon”. These are observed with numerous remote connections, not just RDP. This indicates when one system/credentials are used to connect to another. This will often record the initiating process, which may say MSTSC/Terminal Services/RDP.
1024
Terminal Services RDPClient (Source System) - This is a very important and useful event ID that coincides with the 1102 event ID and records the target hostname. This can show when RDP is used to connect to a target system. The great thing about this event log is that it’s dedicated specifically for RDP and doesn’t roll over nearly as often as the Security event log, though it can still be cleared by a TA.
1102
Terminal Services RDPClient (Source System) - Like the above event ID, this is used to show outbound RDP connections but records the target IP address.
1149
TerminalServices - RemoteConnectionManager (Target system) - This is a FANTASTIC event ID and event log to search for when hunting for RDP connections. This records the Source IP and username of the connecting host.
21 - 25
TerminialServices - LocalSessionManager (Target system) - These are my FAVORITE event IDs and event logs as I personally have had extreme success with these and heavily rely on them when investigating RDP. Personally, these are the first event logs/event IDs that I review when searching for RDP activity. Events 21, 22 and 25 record logins, session starts and reconnects; whereas events 23 and 24 record disconnects and log offs. These events will record the source IP and username. Note that if the source IP address is listed as “LOCAL”, then you may be looking at a local hands-on logon from the keyboard. It’s not always the case but something to note and further correlate if you come across this.
131
Remote Desktop Services - RDP Core TS (Target system) - Again, more data the better! This event will record when a connection is attempted. Note the word “attempted”. This event ID will NOT record a successful connection, though it can record brute force attempts and list the source IP and the username.
98
Remote Desktop Services - RDP Core TS (Target system) - This event ID directly correlates with the above (131) event ID and will record successful connections.
As you can see, although the Security event log is obviously fantastic, there are dedicated logs that specifically record RDP activity. This simply gives an analyst more data to review if the Security logs roll-over, which happens more often than I’d hope, or the TA focused on only clearing the Security event logs, leaving these logs for us to review! These dedicated logs are often less noisy and may record years of RDP activity.
Again, be aware of the source IP address and if its listed as “LOCAL”; Windows can also often record RDP logons in weird ways, so don’t always rely on a single source! As you create your timeline, you should be able to correlate these logs and event IDs with other artifacts to get an idea of lateral movement via RDP.
Now because so many of these events generated are very similar, I won't post an image for each one, but let's take a look at a few below!
Ideally, you'll want to use a dedicated Event viewing tool or parser. However, for screenshot purposes, I'm going to use the ole' fashioned Windows Event Viewer!
So let's show the tricky one first. Below, we can see the source IP listed as "LOCAL" found within the Terminal Services - LocalSessionManager event log on the TARGET system. Keep in mind that this may just be an ordinary hands-on keyboard logon and may not indicate RDP. Remember, the "target" system is the one that was being connected to by a remote host.
Now this one below, will likely indicate RDP was established here, as the source address is listed as an IP address.
Now let's see an event from the SOURCE system, or the system that was initiating the RDP connections. Shown below is an event from the 'RDPClient' Event log.
With this information, get out there and start investigating RDP for lateral movement! Track that connecting system, see where they came from! Grab that host name and begin hunting!