Event ID 1024 | By Gary Hunter

Event ID 1024

As i’m sure i’ve mentioned before, event logs are a great source of evidence when performing incident response. In particular, lateral movement can be one of the hardest things to identify when investigating network based intrusions.

Event ID 1024 in log file Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx is an event that can sometimes be overlooked and it relates specifically to ActiveX controls in remote desktop.

In built ActiveX controls allow an administrator to configure the RDP user experience by providing scriptable interfaces and can allow embedding RDP ActiveX control in web pages and configuring URL security zones, as a couple of examples.

Screen Shot 2019-09-22 at 1.00.34 pm

Event ID 1024 which contains the following message:

“RDP ClientActiveX is trying to connect to the server (IP.ADDRESS OR HOSTNAME)”

Whether IP or hostname display here, will depend on what is entered in “Computer” files in the GUI for remote desktop.

Screen Shot 2019-09-22 at 12.59.55 pm

This event ID appears (in testing) to be generated when a user initiates an RDP connection using the RDP client MSTSC.exe in Windows by pressing ‘connect’.

The great thing is, event 1024 entries will be created whether a session is connects or not.

This means while an attacker may not have successfully connected via RDP to another computer, we may still see evidence of their attempts. This log may also persist longer than other logs too, where a Security log may only cover a days worth of activity, you may find months worth of evidence in this log.

When paired with 4648 Security events and other remote computer RDP logs, this can show both attempted or successful connection and authentication to a remote (target) computer.

Reference:

https://nullsec.us/windows-rdp-related-event-logs-the-client-side-of-the-story/

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648

https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/

Originally posted here: https://salt4n6.com/2019/09/22/event-id-1024/

October 4, 2019
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013