In almost every Incident Response engagement, we spot at-least one commercial/free/in-built Remote Access software (ab)used by the adversaries to either move laterally through the network, or establish persistence to maintain multiple points of entry to the network. This comes with the added benefit of bypass traditional security controls offered by firewalls, WAF, IPS etc.
The adversaries may either drop their own tool OR use the one which is being utilized by the IT Administrators - and this makes it difficult for us to separate malicious actions from legitimate ones. Knowing what to look for where puts you closer to the adversary and where they are in the environment.
This reference article is intended to collect all the information around the logging generated by these tools, spread across multiple blogs combined with some in-depth internal testing, in a single place.
Remote Access Software, Technique T1219 - Enterprise | MITRE ATT&CK®
The blog goes into excruciating details into how Windows logs RDP related events.
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits
For the sake of simplicity, you’re looking for:
| Event ID | Type | Source | Comments |
|---|---|---|---|
| 4624 | 10 | Security | Confirmed -Hands on Keyboard Activity |
| 1149 | NA | Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational | Suspicion - Hands on Keyboard Activity |
The logs generated on the Target host are minimal in nature.