Note:I translated Japanese into English using Google Translate.
Thank you, Google.
"Microsoft-Windows-Terminal Services-RDPClient / Operational" may record information to help you track Lateral Movement.
- Destination computer name / IP address, and Domain Name
- Username (encoded, so you need to find a matching username)
- Reason code that disconnected the session
Let's see what kind of information is recorded in this event log.
Displays the properties of "Microsoft-Windows-TerminalServices-RDPClient/Operational" on Windows 10 1809. In my test environment, logging was enabled by default.
There is no record at the time of OS installation.
Start mstsc.exe and connect to DC1. There is no option specified. (NLA is enabled on DC1.)
When Alice successfully logged on to DC1(192.168.100.100), nine events were recorded.
RDP ClientActiveX is trying to connect to the server (dc1)
In this event, you can check the computer name of the RDP connection destination "DC1". When an IP address is specified for Computer of MSTSC, the IP address is displayed.
Server supports SSL = supported
Base64(SHA256(UserName)) is = 37b1Qe+C6RABWfEqhOY11NzgSzEATQWYD8PK6fWhlzc=-
The username is encoded. The article "Windows Event ID 1029 Hashes" is a good reference for finding a matching username.
If you convert the username "alice" in CyberChef, you can see the same value as the event log.
If "example\alice" is specified for the user name, the domain name and user name are encoded in the event log.
Base64(SHA256(UserName)) is = LZDrhy6nd9yShjFabAXdEq4o+LXDgDsQAAsbbZEr2/0=-37b1Qe+C6RABWfEqhOY11NzgSzEATQWYD8PK6fWhlzc=
The client has initiated a multi-transport connection to the server 192.168.100.100.
In this event, you can check the IP address of DC1(192.168.100.100).
The client has established a multi-transport connection to the server.
RDP ClientActiveX has connected to the server
The client is using hardware memory for the frame buffer.
The server is using version 0xA0600 of the RDP graphics protocol (client mode: 0, AVC available: 1).
Connected to domain (EXAMPLE) with session 2.
In this event, you can check the domain name (EXAMPLE.LOCAL).
When Alice signed out of DC1, three events were recorded.
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).
The multi-transport connection has been disconnected.
By linking this event with ID 1103, can I find out how long Alice has been connected via RDP?
RDP ClientActiveX has been disconnected (Reason= 2)
According to Technet's article, Reason code 2 is "User-initiated client logoff."
Check the event when authentication fails at NLA stage. Several events have been recorded, you can see that there is no ID 1103.
RDP ClientActiveX has been disconnected (Reason= 7943)
"Reason = 7943" is displayed as the disconnection reason, the corresponding article was not found in the article of TechNet.
Disable NLA in the RDP settings of DC1. Also, add the following to the .RDP file and turn off NLA.
Connected to RDP with NLA off.
Check the event log with the password input failure several times and the connection disconnected. (Alice has not logged on successfully.)
Event ID 1103 can confirm that the RDP connection is successful, but you need to confirm in the security log that the logon was successful.
If NLA is disabled, it will appear to be disconnected once. The reason code for disconnection is 263, but this is also a code that is not described in Technet.
Event ID 1029 displays the user name set in the RDP file.
After successfully connecting the RDP session, ID 1029 was not recorded again when another user name was entered.
If NLA is disabled and logon is successful, ID 1027 will be recorded.
If you can not check the security log, event ID 1027 may be a hint of successful logon. (Unfortunately, the successful logon username can not be verified from Event ID 1027.)
Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC