Browse Live Discover and Response Queries by Category
Approved

NOTE: Please review the comments section in addition to this post

Live Discover Query - RDP history

 REVIEWED by Sophos 

As RDP is always a hot topic in the world of security, it might be helpful to gain a report of perhaps who is connecting to where.

The default RDP client, mstsc.exe maintains a history of the computers connected to under the following key to pre-populate the drop-down list:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Default\

They are stored as individual string values, MRU0, MRU1, MRU2, etc..  Therefore the following query could be used:

select data,path from registry  where key like 'HKEY_USERS\%\SOFTWARE\Microsoft\Terminal Server Client\Default' and data <> '';

May be adapted for a specific address of a server:

select data as 'Remote RDP Address', path from registry where key like 'HKEY_USERS\%\SOFTWARE\Microsoft\Terminal Server Client\Default' and data <> '' and data ='wibble.wobble.com';

Maybe useful but of course there is nothing stopping the keys being removed.

Jak

jak
Parents
  • It took longer than i'd like to run, but it seems to return the desired result; select    sophos_registry_journal.time,    sophos_registry_journal.sophospid as "Sophos PID",    sophos_process_journal.sid,    sophos_registry_journal.keyname "Key where deletion took place",    sophos_registry_journal.valuename as "Value deleted",    sophos_process_journal.cmdline as "Program which deleted it",    users.username as "User who ran it" from sophos_registry_journal join sophos_process_journal join users where sophos_registry_journal.keyname like '%\SOFTWARE\Microsoft\Terminal Server Client\Default%'    and sophos_registry_journal.eventtype = 6 and sophos_registry_journal.time > STRFTIME('%s','NOW','-24 HOURS')    and sophos_process_journal.time > STRFTIME('%s','NOW','-24 HOURS')    and sophos_process_journal.sophospid = sophos_registry_journal.sophospid and users.uuid = sophos_process_journal.sid
Comment
  • It took longer than i'd like to run, but it seems to return the desired result; select    sophos_registry_journal.time,    sophos_registry_journal.sophospid as "Sophos PID",    sophos_process_journal.sid,    sophos_registry_journal.keyname "Key where deletion took place",    sophos_registry_journal.valuename as "Value deleted",    sophos_process_journal.cmdline as "Program which deleted it",    users.username as "User who ran it" from sophos_registry_journal join sophos_process_journal join users where sophos_registry_journal.keyname like '%\SOFTWARE\Microsoft\Terminal Server Client\Default%'    and sophos_registry_journal.eventtype = 6 and sophos_registry_journal.time > STRFTIME('%s','NOW','-24 HOURS')    and sophos_process_journal.time > STRFTIME('%s','NOW','-24 HOURS')    and sophos_process_journal.sophospid = sophos_registry_journal.sophospid and users.uuid = sophos_process_journal.sid
Children
No Data
Unfiltered HTML