Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 13 subscribers
  • Views 5568 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SATC and run-as sessions on the Terminal Server never logged out

LHerzog

As we have opened a new case on it 07354794, I wonder if this is a known result, because I cannot find any information about it.

Scenario:

Fully setup SATC Client / Firewall for a Windows 2022 terminal server .

User logins on the firewall are working as expected (at least when adding manual iptable lines for SATC traffic on port 6060. Ref. Case: 06506059).

User A logs on the terminal server. SATC sends new login for User A to firewall.

Firewall shows User A as Thin Client User.

User A runs a program on the terminal server as User AB (run-as). SATC sends new login for User AB to firewall.

Firewall shows User A and user AB as Thin Client User.

User A closes the program run by User AB. SATC sends nothing to firewall.

Firewall still shows User A and user AB as Thin Client User.

User A logs off from the terminal server. SATC sends logout info for User A to firewall.

Firewall shows only user AB as Thin Client User.

This state will remain on the firewall forever until you manually disconnect the user on the firewall or you restart the terminal server.

Endpoint:

Licensed Assigned Version
Core Agent 2024.1.0.51 BETA
Sophos Intercept X 2024.1.0.45.1 BETA
Managed Detection and Response 2023.2.0.3
XDR

2024.1.0.51 BETA

Non-EAP Products also affected.

Firewall: SFOS 19.5.3



This thread was automatically locked due to age.
  • 0

    I think the problem here is that windows does not create a logout event when a run-as process is terminated. I assume SATC is only checking some Logon Events in the Security Event Log.

    This could probably be kept track of by SATC checking new "logon with explicit credentials" of the initial Logon ID like 0x3AE82D8 of User A creating new EventIDs 4648 and 4672 when using the run-as with User AB.

    When the initial Logon ID 0x3AE82D8 is finally logged out of the Terminal Server with EventID 4647 followed by EventID 4634 the SATC could send a logoff information to the firewall for all user sessions spawned by User A.

    I think it may be tricky if different users on a Terminal Server would be using the same user for run-as commands like User A and User B spawn a process by run-as with User XY. Where XY would be some Admin account on a remote system.

  • 0 in reply to LHerzog

    Development has confirmed the behavior. It seems this is a rare use case on terminal servers together with Sophos networking. Support for this may come in the future.

Unfiltered HTML