Lateral Movement - Remote Desktop Protocol (RDP) Event Logs

🦔https://lnkd.in/g9aAqDGF
🔗https://lnkd.in/dEfzbKZq

Key Event Logs for RDP Activity

1. Security Log: Tracks authentication and connection attempts.

2. TerminalServices-RDPClient: Logs client-side RDP connection details.

3. TerminalServices-LocalSessionManager: Records session creation and termination.

Remote Desktop Services – RDP Core TS: Monitors core RDP service activities.

5. TerminalServices-RemoteConnectionManager: Tracks remote connection attempts and status.

Sysmon: Provides detailed system activity logs for advanced threat hunting.

Practice-Verified Commands and Codes

1. Query Security Log for RDP Events:

Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4624 -or $</em>.Id -eq 4625 } | Format-Table -AutoSize

This command retrieves successful (4624) and failed (4625) login attempts.

2. Extract TerminalServices-RDPClient Logs:

Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RDPClient/Operational" | Format-Table -AutoSize

3. Monitor Sysmon for RDP-Related Events:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Message -match "RDP" } | Format-Table -AutoSize

4. Enable Detailed RDP Logging:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "LoggingEnabled" -Value 1

5. Check Active RDP Sessions:

qwinsta

6. Terminate Suspicious RDP Sessions:

rwinsta <SessionID>

What Undercode Say

Lateral movement via RDP is a common tactic used by attackers to escalate privileges and move across networks. Monitoring RDP event logs is critical for detecting unauthorized access and potential breaches. Key logs such as Security, TerminalServices, and Sysmon provide valuable insights into RDP activity.

To enhance security, ensure RDP logging is enabled and regularly review logs for anomalies. Use PowerShell commands like `Get-WinEvent` and `qwinsta` to monitor and manage RDP sessions. Additionally, consider implementing network-level restrictions, such as firewalls and VPNs, to limit RDP exposure.

For advanced threat hunting, integrate Sysmon with SIEM solutions to correlate RDP events with other suspicious activities. Regularly update and patch systems to mitigate vulnerabilities exploited via RDP.

References:

initially reported by: https://www.linkedin.com/posts/activity-7302201228992606208-t44S – Hackers Feeds
Extra Hub:
Undercode AI

Lateral Movement – Remote Desktop Protocol (RDP) Event Logs

Key Event Logs for RDP Activity

1. Security Log: Tracks authentication and connection attempts.

2. TerminalServices-RDPClient: Logs client-side RDP connection details.

3. TerminalServices-LocalSessionManager: Records session creation and termination.

5. TerminalServices-RemoteConnectionManager: Tracks remote connection attempts and status.

Practice-Verified Commands and Codes

1. Query Security Log for RDP Events:

2. Extract TerminalServices-RDPClient Logs:

3. Monitor Sysmon for RDP-Related Events:

4. Enable Detailed RDP Logging:

5. Check Active RDP Sessions:

6. Terminate Suspicious RDP Sessions:

What Undercode Say

Further reading:

References:

Listen to this Post

Key Event Logs for RDP Activity

1. Security Log: Tracks authentication and connection attempts.

2. TerminalServices-RDPClient: Logs client-side RDP connection details.

3. TerminalServices-LocalSessionManager: Records session creation and termination.

5. TerminalServices-RemoteConnectionManager: Tracks remote connection attempts and status.

Practice-Verified Commands and Codes

1. Query Security Log for RDP Events:

2. Extract TerminalServices-RDPClient Logs:

3. Monitor Sysmon for RDP-Related Events:

4. Enable Detailed RDP Logging:

5. Check Active RDP Sessions:

6. Terminate Suspicious RDP Sessions:

What Undercode Say

Further reading:

References:

Related Posts: