Security Operations

Remote Desktop Protocol: Queries for Investigation

How can defenders begin to make sense of RDP issues on their networks? We present three powerful tools for investigators’ toolkits

Since investigators see so many RDP artifacts in the course of incident responses, they’ve naturally evolved a few favorite tools to seek out such activity. In this article, we’ll look broadly at some of the options open to defenders. In the final part of this series, we’ll dive into a few of our favorites, running through some of the typical queries Sophos X-Ops investigators use to make them effective. 

First, defenders should familiarize themselves with 21-40 Local Session Login events, which cover the typical IDs in the Terminal Services Local Session Manager operational event log showing connections, disconnects, reconnections, and similar activities. They should also know about the 1149 RDP Logins query, which looks in the Terminal Services Remote Connection Manager operational event log for the event ID 1149 (as the name suggests) in order to spot those successful RDP connections. 

Redundant? Perhaps, but for good reason. It may be that the attacker has cleared one of the event logs but not the other, making the discrepancy itself an interesting artifact. (Over the course of 2023, Sophos X-Ops’ Incident Response team noted that logs had been cleared in about 32% of the cases they handled.) Or it may be that there was an error in actually logging that event for whatever reason, and one event log has it and the other doesn’t. Since both logs exist, querying them both isn’t a wasted effort. 

The query called RDP Logins from External IPs is likewise useful for spotting inappropriate activity. The name makes it clear what the query does: It looks for RDP connections from external IP addresses, checking both of the event logs just mentioned. (This query won’t turn up connections that come in through a VPN, as those connections are assigned addresses from the VPN IP pool.) 

A less commonly used query with great utility for defenders is 4624_4625 Login Events. This one looks in the security event log for, as one would expect from the name, 4624 events (indicating a successful logon) or 4625 events (indicating a failed logon). These queries are most useful when looking for network-based logons – in the logs, that’s a logon of type 3. An RDP or Terminal Services (remote interactive) logon, on the other hand, is a logon type 10. 

When we’re looking for possible RDP lateral movement, this query can help us identify failed logins when Network Level Authentication is enabled. With RDP, if you fail to log in and Network Level Authentication or NLA is enabled, you will see a 4625 – so, a failed logon with a logon type 3. 

The following query will be of use when seeking devices that do not have NLA enabled (for ease of copying and pasting, we’ll also put a copy of this and other useful queries on our Github): 
 
SELECT  
path, 
name,  
data, 
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(mtime,'unixepoch')) AS last_modified_time 
FROM registry 
WHERE 
key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' 
AND name = 'SecurityLayer' AND data = 0 

The use of this query in this fashion may be a little bit confusing, because it’s a network-based logon — one typically associated with something like (for instance) SMB – rather than an event that would show lateral movement via RDP. However, if NLA is enabled, the log shows the failure of the attempt – an RDP connection was attempted but did not succeed (4625). A failed RDP login where NLA is enabled shows up as a logon type 3, as it authenticates across the network prior to establishing the RDP session. 

Seeing failed login events such as these can alert you to attempts on your network. It can also alert you to misconfigurations in your environment. Investigators often look for misconfigurations as they respond to incidents; in particular, disabled NLA, along with the DisableRestrictedAdmin setting for Restricted Admin Mode, is a dangerous (and common) misconfiguration, since it removes multiple layers of potential security protections. Defenders can therefore usefully query the registry to look for the specific key and value that indicate that NLA is disabled, perhaps finding and fixing the mistake before trouble comes through the door. 

Remote Desktop Protocol: The Series

Part 1: Remote Desktop Protocol: Introduction (post, video)
Part 2: Remote Desktop Protocol: Exposed RDP (is dangerous) (post, video)
Part 3: RDP: Queries for Investigation ([you are here], video)
Part 4: RDP Time Zone Bias (post, video)
Part 5: Executing the External RDP Query (post, video)
Part 6: Executing the 4624_4625 Login Query (post, video)
GitHub query repository: SophosRapidResponse/OSQuery
Transcript repository: sophoslabs/video-transcripts
YouTube playlist: Remote Desktop Protocol: The Series