Share this page!

Dray Agha Profile picture
Twitter logo
Sep 8 10 tweets 5 min read
I wanted to share some findings about RDP, Network Layer Authentication, LogonTypes and brute forcing 🔭

Recently, we perused some EventID 4625s (login failures) originating from public IPv4s brute forcing...
🧵
I kept finding LogonType 3s (network)

However only RDP was externally exposed on the machine, which usually records LogonType 10....

When this has happened before, I usually just assume its Windows jank and continue with my investigation 🤷‍♂️

But this time, I wanted to know WHY
The wise @DaveKleinatland suggested Network Layer Authentication (NLA) would explain this:

"
NLA takes place before the session is started... without NLA things can be exposed before any sort of authentication.... like domain name, usernames, last logged on user, etc
"
- Dave 🧙‍♂️
Some detailed explanations of Network Layer Auth, and its relationship with RDP, come from the also wise @SteveSyfuhs

- syfuhs.net/should-i-turn-…
- syfuhs.net/how-authentica…
So the possible explanation:

Network Layer Authentication, when enabled, can change RDP login fails to be type 3s and not type 10s

Well, returning back to our case, lets validate that by querying the following in the Windows Registry 🧑‍🔬...
`HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp`

Look for `UserAuthentication`

According to documentation, if
- UserAuthentication = 0, NLA is not enabled.
- UserAuthentication = 1, NLA is enabled.

0 is default
docs.microsoft.com/en-us/windows-…
Querying our problem machine, we do indeed see that UserAuth = 1 and NLA is enabled.

Therefore we have an explanation why the RDP brute forces came in as LogonType 3s and not 10s.
To further validate this explanation, I found an old case that had RDP exposed and had LogonType 10 failures

Here, when we query the same registry location, UserAuth = 0 and NLA is not enabled.

That NLA was absent explains why there are numerous Type 10s when we check the 4625s
In summary for our case:

Network Layer Auth will report RDP-related 4625s as LogonType 3s and not the 10s that we would expect.

Many knew about this already, and I've included some of their tweets below



I hope this proves useful to someone!

Do you like seeing real attack data alongside explanations?

You'll probs enjoy the upcoming @HuntressLabs TradeCraft Tuesday, led by the Godparents of #DFIR Jamie Levy (@gleeda) and Harlan Carvey (@keydet89)

huntress.com/resources/webi…

🧵✂️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Aug 17
In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials - using a technique known as NPPSPY

@0gtweet’s NPPSPY was fascinating to dissect and remediate.

Huge thanks to @keydet89 for guidance and wisdom
Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product
IOCs and Behavior
- T1003

- Values under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
◦For our case: logincontroll

- Unexplained entries in HKLM\SYSTEM\CurrentControlSet\Services\<here>\NetworkProvider
◦For our case: logincontroll
Read 5 tweets
Dray Agha Profile picture
Aug 16
Cobalt Strike ain't 💩

Let's chat about how to unravel Cobalt Strike and deny the adversary further access

As ALWAYS, I am showing you data so fresh out the kitchen it hasn't even been cleared by ThreatOps Director @MaxRogers5 👀🧑‍🍳 🧵
Cobalt Strike can often trigger AMSI alerts in Defender. The frustrating thing about AMSI alerts is that they don't tell you what the offending activity WAS.

The alert here was PowerShell based....so let's dig a lil deeper
Go collect C:\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx , and go get my favourite tool - Chainsaw.

Take note your detection time (06:43).

Point chainsaw at your PwSh log, with this time
Read 13 tweets
Dray Agha Profile picture
May 18
Inspired by a SANS poster, I wanted to look at a couple of security solutions and see if their logs provided any key insights an analyst could leverage.

sans.org/posters/window… Image
The scenario : if given only product-relevant raw data & logs, would X security solution have data on the host that provides any security value and help with our investigation.

This is a specific use case I know. But it's something I find myself needing every day at work
Our conversation is about a singular machine, and the transparency, ease-of-access, and security-value of the logs and raw data of various security solutions. We’ll be staying in Windows world for this particular thread.

In our scenario, we have no GUI access to the AV
Read 33 tweets
Dray Agha Profile picture
Mar 17
SRUM is maybe one of the best Windows digital forensic artefacts, if you’re willing to roll your sleeves up.

You can get proof of execution and execution runtime, as well as proof of network communication and the bytes sent and received

Let's take a look in this #DFIR thread🧵
Since Win8, System Resource Usage Monitor (SRUM) monitors a bunch!

What we’re most interested in is its detailed record of programs and network activity.

SRUM has a LONG memory compared to some of the other more ephemeral artefacts📜
To put SRUM to forensic work, grab its .DAT file

C:\Windows\System32\sru\SRUDB.dat

To gain extra contextual data, we're advised to also collect the SOFTWARE hive.

I didn't do that however, because I am a bad person 😞 Image
Read 16 tweets
Dray Agha Profile picture
Mar 9
As a security investigator, what are your thoughts when you see this result in your SIEM? 🚨

Bad, right?

Let’s discuss how we can conclude something is a false positive, and what we can do with that information🧵
When drafting some internal docs the other morning, I wanted a screenshot of an Elastic search.

Without intending to start any drama, I searched for a string associated with Impacket's lateral movement tools :

*\\\\127.0.0.1\\ADMIN*

github.com/SecureAuthCorp…
I expected some internal test data, or even results from previously identified activity.

So you can imagine my surprise when I saw results that were from a handful of hours ago
Read 19 tweets
Dray Agha Profile picture
Feb 28
Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵
We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.
According to this graph I didn’t fact check, Chrome and Safari dominate the game.

Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too. Image
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(