Good day All,
Welcome back!!!
Its been quite sometime i know so many things happened and lost track a bit because of the busy schedule.
Couple of interesting topic i worked on and want to share to all of us. So to start with i was asked as part of some investigation to identify if during a particular time any user with an specific ID did a RDP Session to a Server and if so what ID they logged with it what is the Server they trying to connect at that time.
I was knowing that we would need Security log to start with and hopefully its not over written and if RDP session is successful the logon type it will generate a event in Security log is LOGON Type 10.
So basically we are looking for 2 event ID's 4624 and 4648, below is the out of the 2..
this was easy so hopefully this helps someone!!!!!!!!!!!!!!!!
Until next one you all have a good day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Welcome back!!!
Its been quite sometime i know so many things happened and lost track a bit because of the busy schedule.
Couple of interesting topic i worked on and want to share to all of us. So to start with i was asked as part of some investigation to identify if during a particular time any user with an specific ID did a RDP Session to a Server and if so what ID they logged with it what is the Server they trying to connect at that time.
I was knowing that we would need Security log to start with and hopefully its not over written and if RDP session is successful the logon type it will generate a event in Security log is LOGON Type 10.
So basically we are looking for 2 event ID's 4624 and 4648, below is the out of the 2..
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/14/2018 10:29:37 AM MST
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: Server name
Description:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: Computer account$
Account Domain: domain name
Logon ID: 0x3E7
Logon Type: 10
Impersonation Level: Impersonation
New Logon:
Security ID: domain\user id
Account Name: UserID
Account Domain: Domain Name
Logon ID: 0x72EADD999
Logon GUID: {60d466ce-e71e-0080-95ca-d00b008dbba6}
Process Information:
Process ID: 0x3468
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: Host name
Source Network Address: Source IP it connecting from.
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Below alert just confirms the successful logon and the ID he used when he initiated a RDP session
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/14/2018 10:31:03 AM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: Host name
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: domain\ID
Account Name: ID
Account Domain: domain name
Logon ID: 0x72EADD999
Logon GUID: {60d466ce-e71e-0080-95ca-d00b008dbba6}
Account Whose Credentials Were Used:
Account Name: ID used to RDP
Account Domain: host name
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: destination Computer
Additional Information: destination computer
Process Information:
Process ID: 0x338
Process Name: C:\Windows\System32\lsass.exe
this was easy so hopefully this helps someone!!!!!!!!!!!!!!!!
Until next one you all have a good day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
No comments:
Post a Comment