RDP Goodies
Remote Desktop Protocol (T1021.001) continues to be one of the most favoured lateral movement techniques used by adversaries. This writeup up attempts to provide a consolidated view of the key indicators of RDP usage and potential additional host configuration changes that could take place.
Firewall
Use: Identifies Windows firewall rule activity in relation to RDP
Security.evtx— EID 4688 or Sysmon EID 1 (Process Creation)
Process command line may contain either of following commands
netsh firewall set service type = remotedesktop mod = enable;
netsh advfirewall firewall set rule group=”remote desktop” new enable=yes
Microsoft-Windows-Windows Firewall With Advanced Security Firewall.evtx
EID 2004-A rule has been added to the Windows Firewall exception list
EID 2005-A rule has been modified in the Windows Firewall exception list
EID 2006-A rule has been deleted in the Windows Firewall exception list
RDP Status
Use: Identify if RDP is enabled
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections value is set to 0
Authentication
Use: Identify if blank passwords are allowed to access the host
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse is set to 0
Use: Identifies if Network Level Authentication is disabled.
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication value is set to 0
RDP Session Duration
Use: Identifies if Remote Desktop sessions do not timeout. Note that default config is not to timeout.
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime value is set to 0
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxConnectionTime value is set to 0
RDP Session History
Use: Identifies all RDP connections ever made from the host
HKEY_USERS\SID\Software\Microsoft\Terminal Server Client\Servers\
Use: Identifies the last 10 RDP sessions
HKEY_USERS\SID\Software\Microsoft\Terminal Server Client\Default
Windows Security Event Log
Use: Identifies success/failure inbound RDP sessions to a host
Security.evtx
EID 4624/4625 with Logon Type 10 (Logon type 3 is seen if NLA is enabled) or Logon Type 7 (Reconnection)
EID 4778-Typically paired with Event ID 25
EID 4779 with session name as “RDP” — Typically paired with Event ID 24 and likely Event ID’s 39 and 40
EID 4634 -A user disconnected from, or logged off, an RDP session
EID 4647- The user initiated a formal logoff (NOT a simple disconnect)
Windows Terminal Services Logs
Use: Identifies RDP activity inbound to a host
Microsoft-Windows-TerminalServices-RemoteConnectionManager Operational.evtx
EID 1149 -RDP client establishes a connection. This doesn’t indicate successful authentication with the target
Microsoft-Windows-TerminalServices-LocalSessionManager Operational.evtx
Note: Source network address as 127.0.0.1 is an indicator of RDP tunnelling activity.
EID 21- Successful RDP logon and session instantiation
EID 22- Indicates successful RDP logon and shell (i.e. Windows GUI Desktop)
EID 23 -The user initiated a formal system logoff
EID 24- The user has disconnected from an RDP session
EID 25- The user has reconnected to an existing RDP session
EID 39- The user formally disconnected from the RDP session
EID 40- The user disconnected from or reconnected to an RDP session
Windows RDP Client Logs
Use: Identifies RDP activity originating from a host
Microsoft-Windows-TerminalServices-RDPClient Operational.evtx
EID 1102 — The client has initiated a multi-transport connection to the server {IP} — This indicates the outbound RDP attempt from the host. Doesn’t mean it was successful.
Following events were triggered upon successful authentication via RDP.
EID 1025 — RDP ClientActiveX has connected to the server
EID 1027 — Connected to domain (DESKTOP-U4VPV30) with session 2.
EID 1026 — RDP ClientActiveX has been disconnected
Following reason codes were observed for EID 1026. It is based on how the RDP session was closed.
(Reason= 1) — Close the RDP window using the X
(Reason= 2) — Signed out from the account
RDP Bitmap Cache
Use: To obtain valuable visual insights of historical RDP sessions
RDP Cache stores persistent bitmaps to improve overall user experience. These bitmaps are stored out of order. RDPpieces (refer below) can be used to stitch a human readable image using the bitmaps.
Locations:
From Windows 7 onwards
%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache\
Prior Windows 7
%USERPROFILE%\Local Settings\ Application Data\Microsoft\Terminal Server Client\Cache
Script to reconstitute RDP cache files to a human readable form
https://github.com/brimorlabs/rdpieces
Note: Search for the key value of CachePersistenceActive to see if caching is disabled or not.
Following commands may be executed by the threat actor during the clean-up phase.
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”
del /ah %homepath%\documents\default.rdp
Users in Remote Desktop Group
Use: Identifies users who can RDP into the host
net localgroup “Remote Desktop Users”
RDP Tunnelling
Use: Identifies potential RDP tunnelling activity
Security.evtx
EID 4624- Logon Type 10 — Source Network address is 127.0.0.1
Eavesdropping RDP sessions
Use: Identifies if a RDP session viewing does not require user consent
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Shadow value is set to 4
References
https://www.tachytelic.net/2019/01/clear-rdp-cache/
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
https://admx.help/?Category=VMware_Horizon&Policy=vdm_client.adm::Bitmapcachingcachepersistenceactive
https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_RemoteControl_2
