@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Microsoft-Windows-TerminalServices-RDPClient and NLA

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

"Microsoft-Windows-Terminal Services-RDPClient / Operational" may record information to help you track Lateral Movement.

  • Destination computer name / IP address, and Domain Name
  • Username (encoded, so you need to find a matching username)
  • Reason code that disconnected the session

Let's see what kind of information is recorded in this event log.

-(1)-

Displays the properties of "Microsoft-Windows-TerminalServices-RDPClient/Operational" on Windows 10 1809. In my test environment, logging was enabled by default.

There is no record at the time of OS installation.

f:id:hideakii:20190503084638p:plain

Start mstsc.exe and connect to DC1. There is no option specified. (NLA is enabled on DC1.)

f:id:hideakii:20190503085112p:plain

When Alice successfully logged on to DC1(192.168.100.100), nine events were recorded.

f:id:hideakii:20190503085552p:plain


ID 1024

RDP ClientActiveX is trying to connect to the server (dc1)

In this event, you can check the computer name of the RDP connection destination "DC1". When an IP address is specified for Computer of MSTSC, the IP address is displayed.

ID 1028

Server supports SSL = supported

ID 1029

Base64(SHA256(UserName)) is = 37b1Qe+C6RABWfEqhOY11NzgSzEATQWYD8PK6fWhlzc=-

The username is encoded. The article "Windows Event ID 1029 Hashes" is a good reference for finding a matching username.

If you convert the username "alice" in CyberChef, you can see the same value as the event log.

https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF16LE%20(1200)')SHA2('256')From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')&input=YWxpY2U

If "example\alice" is specified for the user name, the domain name and user name are encoded in the event log.

Base64(SHA256(UserName)) is = LZDrhy6nd9yShjFabAXdEq4o+LXDgDsQAAsbbZEr2/0=-37b1Qe+C6RABWfEqhOY11NzgSzEATQWYD8PK6fWhlzc=

 

ID 1102

The client has initiated a multi-transport connection to the server 192.168.100.100.

In this event, you can check the IP address of DC1(192.168.100.100).

ID 1103

The client has established a multi-transport connection to the server.

ID 1025

RDP ClientActiveX has connected to the server

ID 1402

The client is using hardware memory for the frame buffer.

ID 1404

The server is using version 0xA0600 of the RDP graphics protocol (client mode: 0, AVC available: 1).

ID 1027

Connected to domain (EXAMPLE) with session 2.

In this event, you can check the domain name (EXAMPLE.LOCAL).

-(2)-

When Alice signed out of DC1, three events were recorded.

f:id:hideakii:20190503090210p:plain

ID 226

RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).

ID 1105

The multi-transport connection has been disconnected.

By linking this event with ID 1103, can I find out how long Alice has been connected via RDP?

ID 1026

RDP ClientActiveX has been disconnected (Reason= 2)

According to Technet's article, Reason code 2 is "User-initiated client logoff."

-(3)-

Check the event when authentication fails at NLA stage. Several events have been recorded, you can see that there is no ID 1103.

f:id:hideakii:20190503152056p:plain

ID 1026

RDP ClientActiveX has been disconnected (Reason= 7943)

"Reason = 7943" is displayed as the disconnection reason, the corresponding article was not found in the article of TechNet.

-(4)-

Disable NLA in the RDP settings of DC1. Also, add the following to the .RDP file and turn off NLA.

enablecredsspsupport:i:0

Connected to RDP with NLA off. 

f:id:hideakii:20190503155742p:plain

Check the event log with the password input failure several times and the connection disconnected. (Alice has not logged on successfully.)

f:id:hideakii:20190503155954p:plain

Event ID 1103 can confirm that the RDP connection is successful, but you need to confirm in the security log that the logon was successful.

If NLA is disabled, it will appear to be disconnected once. The reason code for disconnection is 263, but this is also a code that is not described in Technet.

f:id:hideakii:20190503160429p:plain

Event ID 1029 displays the user name set in the RDP file.
After successfully connecting the RDP session, ID 1029 was not recorded again when another user name was entered.

 

If NLA is disabled and logon is successful, ID 1027 will be recorded.

If you can not check the security log, event ID 1027 may be a hint of successful logon. (Unfortunately, the successful logon username can not be verified from Event ID 1027.)

f:id:hideakii:20190503161953p:plain

  

Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC

Reference URL:

jpcertcc.github.io

ponderthebits.com

https://social.technet.microsoft.com/wiki/contents/articles/37870.rds-remote-desktop-client-disconnect-codes-and-reasons.aspx

nullsec.us


 

f:id:hideakii:20190503083911j:plain