RD Gateway (The Front Door)
Exposed to the public internet, it encapsulates RDP traffic (TCP 3389) inside HTTPS (TCP 443). Attack Surface: The absolute primary target for Password Spraying and brute-force campaigns.
Artifact Analysis: Remote Desktop Services (RDS) Forensics
1. Architectural Components & The Attack Surface
Section titled “1. Architectural Components & The Attack Surface”To effectively investigate an RDS farm, analysts must understand its specialized roles. Threat actors target these roles distinctly during different phases of the kill chain.
RD Web Access
An IIS-based web portal for users to launch applications. Attack Surface: Susceptible to traditional web exploits. A spike in ASP.NET errors (Event ID 1307/1309 in the Application log) often indicates active web vulnerability scanning.
RD Session Host (The Lateral Movement Hub)
The “workhorse” server where users actually log in and execute applications. Attack Surface: Because dozens of users share the same memory space, if an attacker compromises a Session Host, they can dump the LSASS memory and harvest credentials for multiple high-value targets simultaneously.
2. Telemetry Part 1: The RD Gateway (Perimeter Logging)
Section titled “2. Telemetry Part 1: The RD Gateway (Perimeter Logging)”The RD Gateway serves as the ultimate source of truth for external access. Its logs capture the attacker’s public IP address before the connection is routed internally.
These events are located in: Applications and Services Logs > Microsoft > Windows > TerminalServices-Gateway > Operational.
- Event ID 302: The user met connection authorization requirements (Authorized).
- Event ID 303: The user failed to meet connection authorization requirements. A massive storm of 303 events is the definitive signature of an external Brute Force or Password Spraying attack.
- Event ID 300: The user successfully connected to the internal target resource (The Session Host).
- Event ID 200: The user disconnected from the internal resource.
3. Telemetry Part 2: The Session Host (Internal Logging)
Section titled “3. Telemetry Part 2: The Session Host (Internal Logging)”Once the attacker passes the Gateway, their activity is logged on the Session Host.
Standard Security Logs
Section titled “Standard Security Logs”As detailed in our Logon Activity Guide, analysts must hunt for Event ID 4624 (Logon Type 10 - RemoteInteractive). This signifies a successful RDP connection to the host.
Local Session Manager Logs
Section titled “Local Session Manager Logs”For granular session lifecycles, analysts rely on: Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager > Operational.
- Event ID 21: Session logon succeeded.
- Event ID 22: Shell start notification received (The Windows Desktop has successfully loaded for the attacker).
- Event ID 24: Session disconnected (The attacker closed the window but left the session running).
- Event ID 25: Session reconnection succeeded (The attacker came back to an existing session).
4. The DFIR Trap: User Profile Disks (UPDs)
Section titled “4. The DFIR Trap: User Profile Disks (UPDs)”This is one of the most common pitfalls for junior forensic analysts.
In modern RDS farms, administrators use User Profile Disks (UPDs) to ensure a user’s settings follow them across different Session Hosts. A UPD is a virtual hard disk file (.vhdx) stored on a centralized network share. When the user logs in, the .vhdx is dynamically mounted as their C:\Users\<username> directory.
The Forensic Consequence:
If an analyst acquires a forensic image of the physical C: drive of the Session Host, they will find absolutely nothing inside the compromised user’s directory. The NTUSER.DAT hive, the Shellbags, and the UserAssist artifacts are not on the Session Host; they are locked inside the .vhdx file on the remote file server.
The Solution: Analysts must identify the central UPD file share, copy the specific UVHD-<User-SID>.vhdx file associated with the compromised account, mount it on a forensic workstation, and extract the artifacts directly from the virtual disk.
5. Threat Hunting Queries
Section titled “5. Threat Hunting Queries”// Detects external password spraying campaigns targeting the RD Gateway// using TerminalServices-Gateway Event ID 303 (Authorization Failed)Event| where EventLog == "Microsoft-Windows-TerminalServices-Gateway/Operational"| where EventID == 303| parse EventData with * 'Username">' Username '</Data>' *| parse EventData with * 'IpAddress">' SourceIP '</Data>' *| summarize FailedAttempts = count(), UniqueUsers = dcount(Username) by SourceIP, bin(TimeGenerated, 10m)// Alert threshold: A single external IP attempting to login to more than 15 unique accounts within 10 minutes| where UniqueUsers > 15| project TimeGenerated, SourceIP, FailedAttempts, UniqueUsers| sort by TimeGenerated desc# Tracks successful external logins traversing the RD Gateway (Event 300)# Provides the exact mapping between the external IP and the internal Session Hostindex=windows sourcetype="WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational" EventCode=300| rex field=Message "The user "(?<User>[^"]+)", on client computer "(?<SourceIP>[^"]+)", successfully connected to the remote server "(?<TargetServer>[^"]+)""| table _time, SourceIP, User, TargetServer| sort - _timeReferences & Further Reading
Section titled “References & Further Reading”- SANS Institute: Windows Forensic Analysis
- MITRE ATT&CK: Remote Services: Remote Desktop Protocol (T1021.001)
- Related Artifact: Windows Logon Events (4624 & 4625)
- Related Artifact: UserAssist & MUIcache Analysis
- Related Artifact: Shellbags Navigation History