Forensicating RDP: Remote Desktop Protocol (RDP) is an integral part of Windows OS, allowing users to connect remotely to other systems. However, its exposure to the internet can (and often has) lead to unauthorised access if not properly secured, making it a preferred attack vector for threat actors aiming to deploy ransomware or use the machine as a jump host to move laterally into your network.
To investigate an incident where patient 0 is an internet-facing RDP host, start by looking at Windows logs. Windows logs serve as digital evidence in forensic investigations. They provide timestamped records of user actions, system events, and network traffic, which can be used to establish the chain of events during an incident.
When you build a timeline of events by correlating timestamped log entries from different sources, this helps in visualise the sequence of actions taken by users or attackers and understanding the progression of an incident.
When investigating RDP-based ransomware incidents, these logs are invaluable. Here’s what to look for:
- Security Event Log (Event ID 4625): This log records failed login attempts. Analyze this log for multiple failed RDP login attempts, indicating brute-force attacks or credential stuffing.
- Security Event Log (Event ID 4624): Successful RDP logins are logged here. Look for anomalous login times, such as late-night or early-morning logins, which could indicate unauthorised access. To get more detail, correlate with the Windows firewall log. See point #6.
- Security Event Log (Event ID 4634): Records when a user logs off. Sudden logoffs or multiple logoffs within a short timeframe might suggest unauthorized activity.
- Security Event Log (Event ID 4648): Indicates when a user’s token is used for authentication. This is essential for tracing lateral movement within the network post-RDP compromise.
- Security Event Log (Event ID 4776): Records credential validation failures. This is crucial for detecting failed RDP authentication attempts.
- Windows Firewall Log: Analyze this log to identify suspicious RDP connection attempts from external IP addresses. Look for repeated connection attempts or connections from unfamiliar locations. Review Event ID 5156/5157 (The Windows Filtering Platform has permitted/blocked a connection, respectively.
- Application Log (Event ID 7031): Look for services suddenly stopping, which might be due to ransomware encrypting files or stopping security services.
- Sysmon Logs: If Sysmon is installed, its logs (Event ID 3, 7, 8, etc.) provide detailed information about process creations, network connections, and other system activities, aiding in identifying malicious behavior.