6. Windows Log分析(遠端桌面登入)

16th鐵人賽

Eugene

2024-09-20 22:52:05

2451 瀏覽

分享至

說明

這次來看一下一台Windows主機被另一台主機用遠端桌面會有什麼紀錄

作法

Audit Log

首先確認使否啟用中Audit Police
本地設定 gpedit.msc

AD網域設定 Group policy management > 選擇要調整的Group

遠端桌面

MSTSC

先用PowerShell查看EventLog

PS C:\Windows\system32> Get-WinEvent -FilterXml '
>> <QueryList>
>>     <Query Id="0" Path="Security">
>>         <Select Path="Security">
>>             *[System[(
>>                 EventID=4624
>>             ) and
>>             (TimeCreated[timediff(@SystemTime) &lt;= 3600000])]]
>>         </Select>
>>     </Query>
>> </QueryList>
>> ' |
>> Select-Object Id, TimeCreated,
>> @{Name="LogonType"; Expression={$_.Properties[8].Value}},
>> @{Name="AdditionalInfo"; Expression={$_.Properties[10].Value}}

  Id TimeCreated          LogonType AdditionalInfo
  -- -----------          --------- --------------
4624 9/20/2024 8:54:56 PM        10 Negotiate
4624 9/20/2024 8:54:56 PM        10 Negotiate
4624 9/20/2024 8:54:53 PM         5 Negotiate
4624 9/20/2024 8:54:52 PM         2 Negotiate
4624 9/20/2024 8:54:52 PM         2 Negotiate
4624 9/20/2024 8:54:52 PM         2 Negotiate
4624 9/20/2024 8:54:52 PM         3 NTLM

從紀錄來看，時間抓8:54分前後可觀察整個行為

Eventviewer

遠端桌面輸入遠端IP，還沒輸入帳密
- Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 261 Listener RDP-Tcp received a connection
輸入密碼
- Security EventID 4776 Credential Validation
- Security EventID 4672 Special Logon
按下確認憑證
- Security EventID 4776 Credential Validation
- Security EventID 4672 Special Logon
- Security EventID 4624 Logon Logon Type: 3
- Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 1149 1149 Remote Desktop Services: User authentication succeeded
- Security EventID 4624 Logon Type: 2 Account Name: UMFD-3
- Security EventID 4624 Logon Type: 2 Account Name: DWM-3
- Security EventID 4624 Logon Type: 2 Account Name: DWM-3
- Security EventID 4624 Logon Type: 5 Account Name: SYSTEM
- Security EventID 4624 Logon Type: 10 Account Name: pc01
- Security EventID 4624 Logon Type: 10 Account Name: pc01

分析一下，從第一個4624 Logon Type: 3已經完成網路驗證，接著Type2 為一些驅動 User-Mode Driver Framework (UMDF) ，Type2 系統服務，最後 Type 10 遠端桌面

被MSTSC連線只收到Logon Type 7

前一個連線中斷後，再重新遠端連線登入，重新調整搜尋語法，將261,4776,4672,1149也加入

Get-WinEvent -FilterXml '
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
    <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*[System[(EventID=261 or EventID=1149) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>
  </Query>
</QueryList>
' |
Select-Object Id, TimeCreated, 
@{Name="LogonType"; Expression={$_.Properties[8].Value}}, 
@{Name="AdditionalInfo"; Expression={$_.Properties[10].Value}}

輸出

  Id TimeCreated          LogonType AdditionalInfo
  -- -----------          --------- --------------
4624 9/21/2024 7:21:42 AM 7         Negotiate     
4624 9/21/2024 7:21:42 AM 7         Negotiate     
4776 9/21/2024 7:21:42 AM                         
4672 9/21/2024 7:21:41 AM                         
4624 9/21/2024 7:21:41 AM 5         Negotiate     
1149 9/21/2024 7:21:40 AM                         
4624 9/21/2024 7:21:40 AM 3         NTLM          
4672 9/21/2024 7:21:40 AM                         
4672 9/21/2024 7:21:40 AM                         
4776 9/21/2024 7:21:40 AM                         
 261 9/21/2024 7:21:40 AM

分析4624之間的差別，從Type 10 變成7，7的說明是Unlock-This workstation was unlocked.，猜測是遠端桌面的服務還在，本次NTLM驗證完做解鎖畫面動作。

Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 261 Listener RDP-Tcp received a connection
Security EventID 4624 Logon Logon Type: 3
Microsoft-Windows-TerminalServices-RemoteConnectionManager EventID 1149 1149 Remote Desktop Services: User authentication succeeded
Security EventID 4624 Logon Type: 5 Account Name: SYSTEM
Security EventID 4624 Logon Type: 7 Account Name: pc01
Security EventID 4624 Logon Type: 7 Account Name: pc01