Event ID 1024

As i’m sure i’ve mentioned before, event logs are a great source of evidence when performing incident response. In particular, lateral movement can be one of the hardest things to identify when investigating network based intrusions.

Event ID 1024 in log file Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx is an event that can sometimes be overlooked and it relates specifically to ActiveX controls in remote desktop.

In built ActiveX controls allow an administrator to configure the RDP user experience by providing scriptable interfaces and can allow embedding RDP ActiveX control in web pages and configuring URL security zones, as a couple of examples.

Screen Shot 2019-09-22 at 1.00.34 pm

Event ID 1024 which contains the following message:

“RDP ClientActiveX is trying to connect to the server (IP.ADDRESS OR HOSTNAME)”

Whether IP or hostname display here, will depend on what is entered in “Computer” files in the GUI for remote desktop.

Screen Shot 2019-09-22 at 12.59.55 pm

This event ID appears (in testing) to be generated when a user initiates an RDP connection using the RDP client MSTSC.exe in Windows by pressing ‘connect’.

The great thing is, event 1024 entries will be created whether a session is connects or not.

This means while an attacker may not have successfully connected via RDP to another computer, we may still see evidence of their attempts. This log may also persist longer than other logs too, where a Security log may only cover a days worth of activity, you may find months worth of evidence in this log.

When paired with 4648 Security events and other remote computer RDP logs, this can show both attempted or successful connection and authentication to a remote (target) computer.






4625 Events – Know your enemy

One of the interesting things about brute-forcing accounts and passwords effectively is that it requires either some prerequisite knowledge of the target, accounts, passwords or at very least some high level information about how and where they operate. Most account names in spraying attacks tend to be the day-to-day combinations of administrator, manager, reception, finance and so on. We do however, sometimes see account name usage which appears to be more specific. This occurs when an attacker has somehow captured or identified previously exposed credentials.

4625 Security events are a great place to see account and password spraying attacks against poorly configured RDP services. Unfortunately, the systems where we see these kind of attacks occurring are usually poorly configured. This means that logging generally doesn’t tend to surpass the Windows default retention period and the only place we may be able to look for further logs is in backups, if they exist.

However, if we have identified brute-force activity and we have access to logs going back far enough, we might be able to pull some extremely useful information from them.

When it comes to attribution, we can spend a lot of time looking for evidence of known domain or local accounts being compromised and used by the attackers. By focussing solely on these elements we may sometimes overlook the obvious.

One thing I like to do during initial log review is to spend some time scrolling and looking for any strangeness, patterns or commonalities in the data. As I mentioned before, the majority of account names that feature in RDP brute-force attacks tend to err toward standard expected account names, sometimes combined with a mixture of account names in other languages like Spanish, French or German.

What sort of account names have we seen used which may provide further information about the attacker?

  • Use of specific external domain names owned by the company (trump@trumptowers.com)
  • Use of mail account names for users in the company (donald.trump@trumptowers.com)
  • Use of named users in an environment (donald.trump)
  • Use of external domain names or mail addresses in the same country owned by external companies (barack@obamacare.com)
  • Use of external domain names or mail addresses in other countries owned by external companies (barack@obamacare.co.uk)

What does all this mean?

We should always try to remove ourselves from the specifics of an investigation and try to take a wholistic view. This might give us some useful insight to the attackers overall knowledge of the company, general capabilities and overall sophistication of the attacker based on their word lists. Lastly, you may also identify a potential compromise of a third party system through your review, which can lead to some interesting legal discussions.

Thanks for reading, happy logging!