SATC and run-as sessions on the Terminal Server never logged out

As we have opened a new case on it 07354794, I wonder if this is a known result, because I cannot find any information about it.

Scenario:

Fully setup SATC Client / Firewall for a Windows 2022 terminal server .

User logins on the firewall are working as expected (at least when adding manual iptable lines for SATC traffic on port 6060. Ref. Case: 06506059).

User A logs on the terminal server. SATC sends new login for User A to firewall.

Firewall shows User A as Thin Client User.

User A runs a program on the terminal server as User AB (run-as). SATC sends new login for User AB to firewall.

Firewall shows User A and user AB as Thin Client User.

User A closes the program run by User AB. SATC sends nothing to firewall.

Firewall still shows User A and user AB as Thin Client User.

User A logs off from the terminal server. SATC sends logout info for User A to firewall.

Firewall shows only user AB as Thin Client User.

This state will remain on the firewall forever until you manually disconnect the user on the firewall or you restart the terminal server.

Endpoint:

Licensed Assigned Version
Core Agent 2024.1.0.51 BETA
Sophos Intercept X 2024.1.0.45.1 BETA
Managed Detection and Response 2023.2.0.3
XDR

2024.1.0.51 BETA

Non-EAP Products also affected.

Firewall: SFOS 19.5.3



Updated the tags
[edited by: Gladys at 2:26 AM (GMT -7) on 30 May 2024]
Parents
  • I think the problem here is that windows does not create a logout event when a run-as process is terminated. I assume SATC is only checking some Logon Events in the Security Event Log.

    This could probably be kept track of by SATC checking new "logon with explicit credentials" of the initial Logon ID like 0x3AE82D8 of User A creating new EventIDs 4648 and 4672 when using the run-as with User AB.

    When the initial Logon ID 0x3AE82D8 is finally logged out of the Terminal Server with EventID 4647 followed by EventID 4634 the SATC could send a logoff information to the firewall for all user sessions spawned by User A.

    I think it may be tricky if different users on a Terminal Server would be using the same user for run-as commands like User A and User B spawn a process by run-as with User XY. Where XY would be some Admin account on a remote system.

Reply
  • I think the problem here is that windows does not create a logout event when a run-as process is terminated. I assume SATC is only checking some Logon Events in the Security Event Log.

    This could probably be kept track of by SATC checking new "logon with explicit credentials" of the initial Logon ID like 0x3AE82D8 of User A creating new EventIDs 4648 and 4672 when using the run-as with User AB.

    When the initial Logon ID 0x3AE82D8 is finally logged out of the Terminal Server with EventID 4647 followed by EventID 4634 the SATC could send a logoff information to the firewall for all user sessions spawned by User A.

    I think it may be tricky if different users on a Terminal Server would be using the same user for run-as commands like User A and User B spawn a process by run-as with User XY. Where XY would be some Admin account on a remote system.

Children