Tuesday, August 21, 2018

Who has logged into a Server

Good day All,
Welcome back!!!
Its been quite sometime i know so many things happened and lost track a bit because of the busy schedule.
Couple of interesting topic i worked on and want to share to all of us. So to start with i was asked as part of some investigation to  identify if during a particular time any user with an specific ID did a RDP Session to a Server and if so what ID they logged with it  what is the Server they trying to connect at that time.

I was knowing that we would need Security log to start with and hopefully its not over written and if RDP session is successful the logon type it will generate a event in Security log is LOGON Type 10.

So basically we are looking for 2 event ID's 4624 and 4648, below is the out of the 2..

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/14/2018 10:29:37 AM MST
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Server name
Description:
An account was successfully logged on.

Subject:
                Security ID:                         SYSTEM
                Account Name:                 Computer account$
                Account Domain:                             domain name
                Logon ID:                             0x3E7 

Logon Type:                                       10
Impersonation Level:                     Impersonation
New Logon:

                Security ID:                         domain\user id
                Account Name:                 UserID
                Account Domain:                             Domain Name
                Logon ID:                             0x72EADD999
                Logon GUID:                      {60d466ce-e71e-0080-95ca-d00b008dbba6}

Process Information:
                Process ID:                          0x3468
                Process Name:                  C:\Windows\System32\winlogon.exe

Network Information:
                Workstation Name:        Host name
                Source Network Address:            Source IP it connecting from.
               Source Port:                       0

Detailed Authentication Information:

                Logon Process:                  User32
                Authentication Package:               Negotiate
                Transited Services:          -
               Package Name (NTLM only):       -
                Key Length:                        0

Below alert just confirms the successful logon and the ID he used when he initiated a RDP session

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/14/2018 10:31:03 AM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Host name
Description:
A logon was attempted using explicit credentials.

Subject:
                Security ID:                         domain\ID
                Account Name:                 ID
                Account Domain:                             domain name
                Logon ID:                             0x72EADD999
                Logon GUID:                      {60d466ce-e71e-0080-95ca-d00b008dbba6}

Account Whose Credentials Were Used:
                Account Name:                 ID used to RDP
                Account Domain:                             host name
                Logon GUID:                      {00000000-0000-0000-0000-000000000000}

Target Server:
                Target Server Name:     destination Computer
                Additional Information: destination computer

Process Information:
                Process ID:                          0x338
                Process Name:                  C:\Windows\System32\lsass.exe

this was easy so hopefully this helps someone!!!!!!!!!!!!!!!!
Until next one you all have a good day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

No comments:

Post a Comment