iT邦幫忙

2024 iThome 鐵人賽

DAY 6
0
Security

資安日誌分析系列 第 6

6. Windows Log分析(遠端桌面登入)

  • 分享至 

  • xImage
  •  

說明

這次來看一下一台Windows主機被另一台主機用遠端桌面會有什麼紀錄

作法

Audit Log

首先確認使否啟用中Audit Police
本地設定 gpedit.msc
https://ithelp.ithome.com.tw/upload/images/20240915/200777523HhR3Bpjln.png

AD網域設定 Group policy management > 選擇要調整的Group
https://ithelp.ithome.com.tw/upload/images/20240915/20077752kIrrdA87DR.png

遠端桌面

MSTSC

先用PowerShell查看EventLog

PS C:\Windows\system32> Get-WinEvent -FilterXml '
>> <QueryList>
>>     <Query Id="0" Path="Security">
>>         <Select Path="Security">
>>             *[System[(
>>                 EventID=4624
>>             ) and
>>             (TimeCreated[timediff(@SystemTime) &lt;= 3600000])]]
>>         </Select>
>>     </Query>
>> </QueryList>
>> ' |
>> Select-Object Id, TimeCreated,
>> @{Name="LogonType"; Expression={$_.Properties[8].Value}},
>> @{Name="AdditionalInfo"; Expression={$_.Properties[10].Value}}

  Id TimeCreated          LogonType AdditionalInfo
  -- -----------          --------- --------------
4624 9/20/2024 8:54:56 PM        10 Negotiate
4624 9/20/2024 8:54:56 PM        10 Negotiate
4624 9/20/2024 8:54:53 PM         5 Negotiate
4624 9/20/2024 8:54:52 PM         2 Negotiate
4624 9/20/2024 8:54:52 PM         2 Negotiate
4624 9/20/2024 8:54:52 PM         2 Negotiate
4624 9/20/2024 8:54:52 PM         3 NTLM

從紀錄來看,時間抓8:54分前後可觀察整個行為

Eventviewer

  • 遠端桌面輸入遠端IP,還沒輸入帳密
    • Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 261 Listener RDP-Tcp received a connection
  • 輸入密碼
    • Security EventID 4776 Credential Validation
    • Security EventID 4672 Special Logon
  • 按下確認憑證
    • Security EventID 4776 Credential Validation
    • Security EventID 4672 Special Logon
    • Security EventID 4624 Logon Logon Type:  3
    • Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 1149 1149 Remote Desktop Services: User authentication succeeded
    • Security EventID 4624 Logon Type:  2 Account Name:  UMFD-3
    • Security EventID 4624 Logon Type:  2 Account Name:  DWM-3
    • Security EventID 4624 Logon Type:  2 Account Name:  DWM-3
    • Security EventID 4624 Logon Type:  5 Account Name:  SYSTEM
    • Security EventID 4624 Logon Type:  10 Account Name: pc01
    • Security EventID 4624 Logon Type:  10 Account Name: pc01

分析一下,從第一個4624 Logon Type: 3已經完成網路驗證,接著Type2 為一些驅動 User-Mode Driver Framework (UMDF) ,Type2 系統服務,最後 Type 10 遠端桌面

被MSTSC連線只收到Logon Type 7

前一個連線中斷後,再重新遠端連線登入,重新調整搜尋語法,將261,4776,4672,1149也加入

Get-WinEvent -FilterXml '
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
    <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*[System[(EventID=261 or EventID=1149) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
  </Query>
</QueryList>
' |
Select-Object Id, TimeCreated, 
@{Name="LogonType"; Expression={$_.Properties[8].Value}}, 
@{Name="AdditionalInfo"; Expression={$_.Properties[10].Value}}

輸出

  Id TimeCreated          LogonType AdditionalInfo
  -- -----------          --------- --------------
4624 9/21/2024 7:21:42 AM 7         Negotiate     
4624 9/21/2024 7:21:42 AM 7         Negotiate     
4776 9/21/2024 7:21:42 AM                         
4672 9/21/2024 7:21:41 AM                         
4624 9/21/2024 7:21:41 AM 5         Negotiate     
1149 9/21/2024 7:21:40 AM                         
4624 9/21/2024 7:21:40 AM 3         NTLM          
4672 9/21/2024 7:21:40 AM                         
4672 9/21/2024 7:21:40 AM                         
4776 9/21/2024 7:21:40 AM                         
 261 9/21/2024 7:21:40 AM                         

分析4624之間的差別,從Type 10 變成7,7的說明是Unlock-This workstation was unlocked.,猜測是遠端桌面的服務還在,本次NTLM驗證完做解鎖畫面動作。

  • Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 261 Listener RDP-Tcp received a connection
  • Security EventID 4624 Logon Logon Type:  3
  • Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 1149 1149 Remote Desktop Services: User authentication succeeded
  • Security EventID 4624 Logon Type:  5 Account Name:  SYSTEM
  • Security EventID 4624 Logon Type:  7 Account Name: pc01
  • Security EventID 4624 Logon Type:  7 Account Name: pc01

REF

https://learn.microsoft.com/zh-tw/windows-server/identity/securing-privileged-access/reference-tools-logon-types

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/mstsc.htm


上一篇
5. Windows 強化端點日誌 (Audit&Sysmon)
下一篇
7. Windows Log分析(遠端桌面登入)-Wireshark
系列文
資安日誌分析30
圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言