Log On-Off 내역 분석

RDP Connection 내역

아래 명령을 실행하면 환경변수 $TEMP로 설정된 디렉토리에 csv 파일이 저장된다.

F:\script\powershell>powershell -executionpolicy bypass -f RDPConnectionParser.ps1
Writing File: f:\Temp\2020-03-03T16.24.38_RDP_Report.csv
Done!

 

RDPConnectionParser.zip

0.00MB

 

F:\script\powershell>type f:\temp\2020-03-03T16.24.38_RDP_Report.csv
"TimeCreated","User","ServerName","IPAddress","EventID","Action"
"2020-02-17 ?? 12:45:59","CHOHB\chohb","chohb","LOCAL","21","logon"
"2020-02-17 ?? 6:02:33","CHOHB\chohb","chohb",,"23","logoff"
"2020-02-18 ?? 8:47:25","CHOHB\chohb","chohb","LOCAL","21","logon"
"2020-02-18 ?? 6:02:18","CHOHB\chohb","chohb",,"23","logoff"

 

< 참고 >

Event ID가 21이면 RDP logon,

Event ID가 22이면 RDP Shell Start,

Event ID가 23이면 RDP logoff,

Event ID가 24이면 RDP DisConnected,

Event ID가 25이면 RDP ReConnection

 

이벤트 로그 조회

Session 관련 이벤트 파일

F:\temp>dir %windir%\system32\winevt\logs\*session*.evtx

Microsoft-Windows-RemoteDesktopServices-SessionServices%4Operational.evtx

Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx

Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

 

< RDP Files >

%User Profile%\Documents\Default.rdp 파일도 일단 수집하자.
분석 대상 시스템에서 RDP 접속을 한 흔적 파악하는데 사용될 수 있다. RDP 접속 후 네트워크를 통해 용의자가 파일을 전송하였거나, 정보를 획득할 수 있다는 가능성을 제기할 수 있으며, 침해사고 관점에서는 원치 않은 접속 요청에 대한 정보를 수집하여 시스템의 악성 행위 시점을 판단하는데 도움을 줄 수 있다.

 

파일 저장

F:\temp>wevtutil epl /lf "C:\WINDOWS\system32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" "c:\temp\TerminalServices-LocalSessionManager-Operational.evtx"

 

컬럼명 조회

C:\>LogParser.exe -h -i:evt "c:\temp\TerminalServices-LocalSessionManager-Operational.evtx"

 

조회

F:\temp>LogParser.exe -stats:off -i:evt "select Timegenerated, strings, Eventid from 'c:\temp\TerminalServices-LocalSessionManager-Operational.evtx' where Eventid='21' or Eventid='22' or Eventid='23' or Eventid='24' or Eventid='25'"

 

C:\DFIR\EventLog>wevtutil epl system system-export.evtx

 

Security 이벤트 파일

C:\DFIR\EventLog>wevtutil epl security security-export.evtx

 

C:\>LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') and EXTRACT_TOKEN(Strings, 8, '|')='10' "

 

< 참고 > 이벤트 로그 내용을 Text로 저장

C:\>wevtutil qe /lf "C:\WINDOWS\system32\winevt\logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" /f:text > "c:\temp\TerminalServices-LocalSessionManager-Operational.txt"

 

System 이벤트 파일

C:\DFIR\EventLog>wevtutil epl system system-export.evtx

동일한 방법으로 조회

 

NTLM Based Logon

possible pass-the-hash

C:\>LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"

 

All Logon History

이벤트 ID 4624에 대한 로그인 유형

로그인 유형에 대해 각각 조회가 가능하다.

 

C:\>LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"

 

콘솔 로그인

C:\>LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') and EXTRACT_TOKEN(Strings, 8, '|')='2' "

 

네트워크 로그인

C:\>LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'C:\Dropbox\DFIR\Window\Behaviour\Results\Security-Export.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') and EXTRACT_TOKEN(Strings, 8, '|')='3' "

 

Failed Logon History

unsuccessful logon

C:\>LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"

 

Find specific User

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"

          

Find specific IP

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"

 

check ntlm based attempts

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'C:\temp\Security-Export.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"

 

LogOff History

C:\>LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'C:\Dropbox\DFIR\Window\Behaviour\Results\Security-Export.evtx' WHERE EventID = 4634 AND Domain NOT IN ('NT AUTHORITY')"