RDP Usage
Description: Track internal and external Remote Desktop Protocol connections.
Location:
- C:\Windows\System32\winevt\logs\Security.evtx
- C:\Windows\System32\winevt\logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
Notes: The Security.evtx log can be used to track outgoing RDP connections:
- Event ID: 4624 - Logon Type 10
- Event ID: 4778 - Session Connected/Reconnected
- Event ID: 4779 - Session Disconnected
The Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx log can be used to track incoming RDP connections:
- Event ID: 1149 - Network Authentication Succeeded
Analysis: Attackers often use legitmate Windows tools to laterally traverse throughout an
enviornment. As a result, it's important to understand the forensic artifacts associted with RDP. There are
multiple Windows Event ID's associated with RDP and we often have to reference multiple logs to map out the
full picture.
We can use Windows native Event Viewer application for analyzing .evtx files. On a Windows client,
double-clicking an .evtx file will automatically open the log inside of the Saved Logs
folder in Event Viewer.
To filter for a specific event, select Filter Current Log... to pull up a dialog box with
filtering option and input the Event ID you'd like to isolate.
I don't currently have any examples of Remote Desktop to showcase, but I'm working on setting up a small
Windows environment for an upcoming Windows Forensics workshop and will capture some examples of RDP. For
some additional reading on RDP, I recommend you check out this Flowchart created by 13cubed, who is an excellent resource within the DFIR community.