# Lateral movement **Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on:** [**artefacts.help**](https://artefacts.help/)**.** **The artefacts generated independently of the lateral movement technics used are introduced in the `[DFIR] Windows - Account Usage` note. The artefacts presented below are associated with a given lateral movement technique.** ### Remote Desktop artefacts #### Destination machine | Artefact | Location | Conditions | Description | Information yield | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | EVTX | `Security.evtx` | Default configuration. |

Event 4624: An account was successfully logged on.

LogonType field:

LogonType 10 for standard RemoteInteractive authentication.

Replaced by LogonType 7 (This workstation was unlocked) for existing session unlocking.

Replaced by LogonType 3 for RDP RestrictedAdmin mode.

Eventual prior event 4624 LogonType 3 for NLA authentication.

Source user domain and username.

Source machine hostname / IP.

Event 4778: A session was reconnected to a Window Station.

Event 4779: A session was disconnected from a Window Station.

Source user domain and username.

Source machine hostname / IP.

Event 1149: Remote Desktop Services: User authentication succeeded

Does not indicate a successful session opening but an access to the Windows login screen. This event is however only generated upon successful authentication if Network Level Authentication (NLA) is required.

Source user domain and username.

Source machine IP.

This event followed by unusual / suspicious activity of NT AUTHORITY\SYSTEM may indicate the use of a Sticky Keys or Utilman backdoor.

Event 21: Remote Desktop Services: Session logon succeeded.

Event 22: Remote Desktop Services: Shell start notification received.

Event 23: Remote Desktop Services: Session logoff succeeded.

Event 25: Remote Desktop Services: Session reconnection succeeded.

With Source Network Address != LOCAL.

Source user domain and username.

Source machine IP.

| | EVTX | `Microsoft-WindowsRemoteDesktopServicesRdpCoreTS%4Operational.evtx` |

Default configuration.

Introduced in >= Windows Server 2012.

Event 131: The server accepted a new TCP connection from client \.

Does not indicate a successful session opening but a network access to the RDS service.

Prefetch files related to RDP activity:

TSTHEME.EXE-\.pf

RDPCLIP.EXE-\.pf

| Timestamp of last runs and overall number of executions. | |

Filesystem

MFT

UsnJrnl

C:\Windows\Prefetch\

$MFT

$Extend$UsnJrnl

| Only generated on Windows desktop OS by default. |

Entries for Prefetch files related to RDP activity:

TSTHEME.EXE-\.pf

RDPCLIP.EXE-\.pf

The most recent Prefetch file LastModified timestamp correspond to the last RDP activity.

The MFT and UsnJrnl may yield information about RDP historic activity.

| |

Shimcache

Amcache

HKLM\SYSTEM registry hive

Amcache.hve

| Unreliably generated. | Entries for `rdpclip.exe` and / or `tstheme.exe`. | | #### Source machine | Artefact | Location | Conditions | Description | Information yield | | -------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | EVTX | `Security.evtx` |

Default configuration.

Only logged if NLA is enabled on the destination AND alternate credentials are used.

Event 4648: A logon was attempted using explicit credentials.

Legacy:
Events 552: Logon attempt using explicit credentials.

Current logged-on user's domain and username.

Alternate user's domain and username.

Destination machine's hostname. The Network Information section only yields information about the client.

Event 1024: RDP ClientActiveX is trying to connect to the server (\).

Event 1102: The client has initiated a multi-transport connection to the server \.

Event 1029: Base64(SHA256(UserName)) is = \.
This CyberChef formula can be used to compute the hash.

Current logged-on user's domain and username.

Event 1024: destination machine's hostname.

Event 1102: destination machine's IP.

| | Registry |

C:\Users\<USERNAME>\NTUSER.DAT
NTUSER\Software\Microsoft\Terminal Server Client\Servers

Requires Audit process tracking to be enabled.

For the process arguments to be logged, Include command line in process creation events must be enabled as well.

Event 4688: A new process has been created.

New Process Name: C:\Windows\System32\mstsc.exe.

Current logged-on user's domain, username and LogonID.

Parent process.

If the destination machine is specified in the command line, and the command line logged, yields the destination machine's hostname / IP.

| (SourceName = 'Microsoft-Windows-TerminalServices-LocalSessionManager' AND (EventID = 21 or EventID = 22 or EventID = 23 or EventID = 24 or EventID = 25 or EventID = 39 or EventID = 40)) (SourceName = 'Microsoft-Windows-TerminalServices-RemoteConnectionManager' AND EventID = 1149)" ### PsExec artefacts ### Remote Scheduled Tasks artefacts *Remote job schedule registration, execution and deletion* Location : Victim `Microsoft-Windows-TaskScheduler%4Operational.evtx` hive. Artifact : Task Scheduler Event Log(since win7) * Registering Job schedule ID : 106 * Account Name used to registration * Job Name : Usually “At#” form * Starting Job schedule ID : 200 * The path of file executed for job * Deleting Job schedule ID : 141 * Account Name used for the deletion The creation, execution and deletion of a scheduled task will notably, in addition to `Security` `EID 4624` and `EID 4672` events, generate the following Windows events: * `Microsoft-Windows-TaskScheduler/Operational` hive, `EID 106: User "\ | " registered Task Scheduler task "\"`. * `Microsoft-Windows-TaskScheduler/Operational` hive, `EID 140: User "\ | " updated Task Scheduler task "\"`. * `Microsoft-Windows-TaskScheduler/Operational` hive, `EID 141: User "\ | " deleted Task Scheduler task "\"`. * `Microsoft-Windows-TaskScheduler/Operational` hive, `EID 129: Task Scheduler launch task "\", instance "" with process ID `. * `Microsoft-Windows-TaskScheduler/Operational` hive, `EID 100: Task Scheduler started "" instance of the "\" task for user "NT AUTHORITY\SYSTEM | \ | "`. * `Microsoft-Windows-TaskScheduler/Operational` hive, `EID 140: User "\ | " updated Task Scheduler task "\"`. * `Security`, if `Audit object access` is enabled for `Success` and `Failure`, `EID 4698: A scheduled task was created`. Includes the scheduled task detailed configuration (author, triggers, executing user, command and eventual command argument, etc.) and can be correlated to a logon session using the event `Logon ID`. * `Security`, if `Audit object access` is enabled for `Success` and `Failure`, `EID 4702: A scheduled task was updated`. Specifies the user at the origin of the modification, the task name of the updated scheduled task and can be correlated to a logon session using the event `Logon ID`. * `Security`, if `Audit object access` is enabled for `Success` and `Failure`, `EID 4699: A scheduled task was deleted`. Specifies the user at the origin of the modification, the task name of the updated scheduled task and can be correlated to a logon session using the event `Logon ID`. ### Remote Windows Services artefacts ### WMI artefacts ### WinRM artefacts \| Microsoft-Windows-WinRM/Operational | 6 | X | `Creating WSMan Session`.\ Logged on the client host. The event connection string field include the remote host address. | | Microsoft-Windows-WinRM/Operational | 91 | X | `Session creation`. | | Microsoft-Windows-WinRM/Operational | 161 | X | `The client cannot connect to the destination specified in the request.`\ Error event, logged on the remote system.\ The `User` and `Computer` event fields provide information on the client. | | Microsoft-Windows-WinRM/Operational | 168 | X | `Session creation`. | WinRM Operational event log entries indicating authentication prior to PowerShell remoting on an accessed system • Event ID 169: “User \[DOMAIN\Account] authenticated successfully using \[authentication\_protocol]” System event log entries indicating a configuration change to the Windows Remote Management service: ○ Event ID 7040 “The start type of the Windows Remote Management (WS-Management) service was changed from \[disabled / demand start] to auto start.” – recorded when PowerShell remoting is enabled. ○ Event ID 10148 (“The WinRM service is listening for WS-Management requests”) – recorded upon reboot on systems where remoting has been enabled. WinRM Operational event log entries indicating authentication prior to PowerShell remoting on an accessed system: ○ Event ID 169 (“User \[DOMAIN\Account] authenticated successfully using \[authentication\_protocol]”) ### DCOM artefacts *** ### References --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.qazeer.io/dfir/windows/ttps_analysis/lateral_movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.