diff --git a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_21_Info_RDS-SessLogon.yml b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_21_Info_RDP-Logon.yml similarity index 52% rename from hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_21_Info_RDS-SessLogon.yml rename to hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_21_Info_RDP-Logon.yml index 466351055..a15b73321 100644 --- a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_21_Info_RDS-SessLogon.yml +++ b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_21_Info_RDP-Logon.yml @@ -1,10 +1,18 @@ author: Zach Mathis date: 2022/12/07 -modified: 2022/12/07 +modified: 2024/11/10 -title: RDS Sess Logon -details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%' -description: +title: RDP Logon +details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%' +description: | + This event is created when a new local session is created for either a local or remote interactive login when a user successfully authenticates and there is no existing local session. + This event will be created when a user logs on for the first time or after a logout but not after just a disconnect because the session will still exist. + In that case, a reconnect event will be created. + The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins. + Note that local sessions are different from logon sessions. + Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. + SrcIP will be an IP address if it is a remote session and "LOCAL" if it is a local session. + This event gives the same information in Remote Connection Manager 1149, Local Session Manager 22 and Security 4648. id: b107551c-409d-44b8-bb0d-3b007c269881 level: informational @@ -22,6 +30,11 @@ tags: - RDP - attack.lateral_movement references: + - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_21/ + - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ + - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/ + - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee891131(v=ws.10)?redirectedfrom=MSDN ruletype: Hayabusa sample-message: | diff --git a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_22_Info_RDS-SessStart_Noisy.yml b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_22_Info_RDP-SessStart_Noisy.yml similarity index 53% rename from hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_22_Info_RDS-SessStart_Noisy.yml rename to hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_22_Info_RDP-SessStart_Noisy.yml index 81bddfa48..736794179 100644 --- a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_22_Info_RDS-SessStart_Noisy.yml +++ b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_22_Info_RDP-SessStart_Noisy.yml @@ -1,10 +1,19 @@ author: Zach Mathis date: 2022/12/07 -modified: 2022/12/16 +modified: 2024/11/10 -title: 'RDS Sess Start (Noisy)' -details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%' -description: +title: 'RDP Sess Start (Noisy)' +details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%' +description: | + This event is created when a new local session is created for either a local or remote interactive login. + Original event message: “Shell start notification received” + The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins. + Note that local sessions are different from logon sessions. + Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. + Event 22 is created when a new local session needs to be created. + That happens after a user successfully authenticates for a local or remote interactive logon session and the user does not already have an existing local session. + This event follows a Local Session Manager 21 event. + This event gives the same information in Remote Connection Manager 1149, Local Session Manager 21 and Security 4648. id: 320e2cb0-a56a-476f-a299-79dc45644fee level: informational @@ -22,6 +31,11 @@ tags: - RDP - attack.lateral_movement references: + - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_22/ + - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ + - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/ + - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ee891214(v=ws.10) ruletype: Hayabusa sample-message: | diff --git a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_23_Info_RDS-SessLogoff.yml b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_23_Info_RDP-Logoff.yml similarity index 66% rename from hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_23_Info_RDS-SessLogoff.yml rename to hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_23_Info_RDP-Logoff.yml index 0d2ce780f..08fcb4449 100644 --- a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_23_Info_RDS-SessLogoff.yml +++ b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_23_Info_RDP-Logoff.yml @@ -1,10 +1,10 @@ author: Zach Mathis date: 2022/12/07 -modified: 2022/12/07 +modified: 2024/11/10 -title: RDS Sess Logoff -details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID%' -description: +title: RDP Logoff +details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID%' +description: Event 23 is created when a local session logs off. That happens after a user successfully logs off a local or remote interactive logon session. Not just a disconnect. id: e14a729f-f4f8-427b-a238-dfbde9c1614b level: informational @@ -22,6 +22,11 @@ tags: - RDP - attack.lateral_movement references: + - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_23/ + - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ + - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/ + - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee891131(v=ws.10)?redirectedfrom=MSDN ruletype: Hayabusa sample-message: | diff --git a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_24_Info_RDS-SessDisconn.yml b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_24_Info_RDP-Disconnect.yml similarity index 64% rename from hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_24_Info_RDS-SessDisconn.yml rename to hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_24_Info_RDP-Disconnect.yml index 811c0a2d2..aa780f623 100644 --- a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_24_Info_RDS-SessDisconn.yml +++ b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_24_Info_RDP-Disconnect.yml @@ -1,10 +1,13 @@ author: Zach Mathis date: 2022/12/07 -modified: 2022/12/07 +modified: 2024/11/10 -title: RDS Sess Disconnect -details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%' -description: +title: RDP Disconnect +details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%' +description: | + Event 24 is created when a local session disconnects. That happens after a user successfully logs off or disconnects a local or remote interactive logon session. + This event immediately follows a EID 23 RDP Logoff event. + This event has the same information as EID 23 and Security EID 4634. id: 3fc6234f-93a5-4d48-b618-30e2c69c0a86 level: informational @@ -22,6 +25,11 @@ tags: - RDP - attack.lateral_movement references: + - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_24/ + - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ + - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/ + - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee891131(v=ws.10)?redirectedfrom=MSDN ruletype: Hayabusa sample-message: | diff --git a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_25_Info_RDS-SessReconn.yml b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_25_Info_RDP-Reconnect.yml similarity index 93% rename from hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_25_Info_RDS-SessReconn.yml rename to hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_25_Info_RDP-Reconnect.yml index 1f2bf9c8f..d4f3722e3 100644 --- a/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_25_Info_RDS-SessReconn.yml +++ b/hayabusa/builtin/TerminalServices-LocalSessionManager_Op/LocalSessManager_25_Info_RDP-Reconnect.yml @@ -1,8 +1,9 @@ author: Fukusuke Takahashi date: 2024/11/03 +modified: 2024/11/10 -title: RDS Sess Reconnect -details: "User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%" +title: RDP Reconnect +details: "TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%" description: references: - https://jpcertcc.github.io/ToolAnalysisResultSheet_jp/details/mstsc.htm diff --git a/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_1149_Info_RDS-Logon.yml b/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_1149_Info_RDP-LogonAttempt.yml similarity index 53% rename from hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_1149_Info_RDS-Logon.yml rename to hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_1149_Info_RDP-LogonAttempt.yml index 2a217f119..e3580d02a 100644 --- a/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_1149_Info_RDS-Logon.yml +++ b/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_1149_Info_RDP-LogonAttempt.yml @@ -1,10 +1,17 @@ author: Zach Mathis date: 2022/12/07 -modified: 2022/12/07 +modified: 2024/11/10 -title: RDS Logon -details: 'User: %UserDataParam1% ¦ Domain: %UserDataParam2% ¦ SrcIP: %UserDataParam3%' -description: 'Logon for RDS (Remote Desktop Services). Formerly known as Terminal Services. Similar to RDP.' +title: RDP Logon +details: 'TgtUser: %UserDataParam1% ¦ Domain: %UserDataParam2% ¦ SrcIP: %UserDataParam3%' +description: | + Logon for RDS (Remote Desktop Services). Formerly known as Terminal Services. + Uses RDP so I am refering to these as RDP Logons as that is what most people will expect. + On newer OSes (Win 7+, 2012+), this event is logged only when a user successfully logs on to a RDP session. + On older OSes (Vista, 2008), this event is logged when a user logs on to a RDP session, regardless of success. + This event might be be created when rdesktop is used as a client and NLA is disabled. + User and domain names are empty if the server is configured with Restricted Admin. + Information in this event is also found in the Security event log. id: e91c514e-08c5-4c42-96d7-ab1f5668a2f7 level: informational @@ -21,7 +28,15 @@ falsepositives: tags: - RDP - attack.lateral_movement + - attack.initial_access references: + - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/terminalservices_remoteconnectionmanager_operational_1149/ + - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/ + - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html + - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/ + - https://port139.hatenablog.com/entry/2019/03/23/091740 + - https://digitalforensicsurvivalpodcast.com/2023/01/31/dfsp-363-rdp-forensics/ + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee907328(v=ws.10)?redirectedfrom=MSDN ruletype: Hayabusa sample-message: | diff --git a/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDP-Conn_Noisy.yml b/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDP-Conn_Noisy.yml new file mode 100644 index 000000000..ea748ecc1 --- /dev/null +++ b/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDP-Conn_Noisy.yml @@ -0,0 +1,33 @@ +author: Zach Mathis +date: 2022/12/07 +modified: 2024/11/10 + +title: 'RDP Conn (Noisy)' +details: '' +description: | + This event is generated when anyone connects to RDP and sends data. It does not need to be a legitimate RDP connection. + Unfortunately, there are no details about the remote machine. + This event is noisy and will generate a lot of logs and is of limited investigative value. + If you see a large number of these events, but not successful logon events with EID 1149, etc... then it may indicate a brute force attack. + The Security event log will have more information so this event is only useful if the Security event logs are not available. + +id: 6dbed1df-f08a-47ab-9a58-999c0787d034 +level: informational +status: stable +logsource: + product: windows +detection: + selection: + Channel: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' + EventID: 261 + condition: selection +falsepositives: + - administrator +tags: + - RDP + - attack.lateral_movement +references: + - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/terminalservices_remoteconnectionmanager_operational_261/ +ruletype: Hayabusa + +sample-message: 'Listener RDP-Tcp received a connection' \ No newline at end of file diff --git a/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDS-Conn_Noisy.yml b/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDS-Conn_Noisy.yml deleted file mode 100644 index 60829d37c..000000000 --- a/hayabusa/builtin/TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDS-Conn_Noisy.yml +++ /dev/null @@ -1,27 +0,0 @@ -author: Zach Mathis -date: 2022/12/07 -modified: 2022/12/07 - -title: 'RDS Connection (Noisy)' -details: '-' -description: 'There was a connection to the RDS service. Unfortunately there are no details in this event log.' - -id: 6dbed1df-f08a-47ab-9a58-999c0787d034 -level: informational -status: stable -logsource: - product: windows -detection: - selection: - Channel: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' - EventID: 261 - condition: selection -falsepositives: - - administrator -tags: - - RDP - - attack.lateral_movement -references: -ruletype: Hayabusa - -sample-message: 'Listener RDP-Tcp received a connection' \ No newline at end of file