This list is by no means all-inclusive-there are others too-but this example will give us a good cross-section of what these activities will leave for additional or supporting evidence. TerminalServices-LocalSessionManager/Operational RemoteDesktopServices-RDPCoreTS /Operational
TerminalServices-RemoteConnectionManager/Operational Let’s consider the following logs and events: SOURCE PC: Log Events and ExamplesĪs digital forensic investigators, we need to find the evidence we’re interested in and ensure we are not overlooking information that could also be available in the event logs, even after standard security log wipes. RDP activities, like most activities, will leave events in several different logs as action is taken and various processes are involved. It is becoming more and more common for bad actors to manipulate or clear the security event logs on compromised machines, and sometimes RDP sessions don’t even register as just a type 10 logon, depending on the circumstance. However, that is not at all always a surefire way to detect if such activity has occurred. Perhaps the quickest and easiest way to do that is to check the RDP connection security event logs on machines known to have been compromised for events with ID 4624 or 4625 and with a type 10 logon.
Investigating lateral movement activities involving remote desktop protocol (RDP) is a common aspect when responding to an incident where nefarious activities have occurred within a network.
0 kommentar(er)
