Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add RDP Logon/Logoff to timeline-logon #216

Merged
merged 4 commits into from
Nov 29, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Nov 23, 2024

@fukusuket fukusuket added the enhancement New feature or request label Nov 23, 2024
@fukusuket fukusuket added this to the v2.8.0 milestone Nov 23, 2024
@fukusuket fukusuket self-assigned this Nov 23, 2024
@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 23, 2024

timeline-logon

Tested with the following sample logs.
Yamato-Security/hayabusa-sample-evtx#3

スクリーンショット 2024-11-23 15 28 54

@fukusuket fukusuket marked this pull request as ready for review November 23, 2024 06:29
@fukusuket
Copy link
Collaborator Author

timeline-logon -l

Tested with the following sample logs.
Yamato-Security/hayabusa-sample-evtx#3
スクリーンショット 2024-11-23 15 41 42

@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks for this! There seems to be a bug in extracting the Logoff time:

Screenshot 2024-11-28 at 07 40 32

I noticed that the log off times are always the same for the same user. (In this example, I filtered the results based on 1 user) However, when I looked up the timestamps they were as follows:

"2018-05-05 07:16:46.663 +09:00"
"2018-05-08 04:25:40.449 +09:00"
"2018-05-08 23:34:48.983 +09:00"
"2018-05-08 23:36:47.177 +09:00"
"2018-05-09 05:58:25.413 +09:00"
"2018-05-09 06:58:03.364 +09:00"
"2018-05-12 04:39:38.816 +09:00"
"2018-05-12 07:25:24.577 +09:00"
"2018-05-14 14:41:33.609 +09:00"
"2018-05-25 08:50:40.165 +09:00"
"2018-05-26 03:59:37.553 +09:00"
"2018-05-26 03:59:50.852 +09:00"
"2018-05-26 04:07:06.600 +09:00"
"2018-06-02 03:52:34.293 +09:00"
"2018-08-07 04:12:23.842 +09:00"
"2018-08-29 07:10:14.503 +09:00"
"2018-08-30 22:51:23.844 +09:00"
"2018-08-31 23:58:37.536 +09:00"
"2018-09-01 00:28:53.186 +09:00"
"2018-09-01 03:49:21.731 +09:00"
"2018-09-05 20:55:56.196 +09:00"
"2018-09-05 21:11:31.218 +09:00"
"2018-09-05 21:35:26.475 +09:00"
"2018-09-06 00:03:08.000 +09:00"
"2018-09-06 03:45:43.496 +09:00"
"2018-09-07 05:25:13.451 +09:00"

No timestamps are the same.
Could you check this?

@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 27, 2024

@YamatoSecurity
Thank you so much for checking!
I mistakenly thought that Session ID is unique for each user. However, since Session IDs are not unique :( I will consider other methods!🤔

 % ./hayabusa csv-timeline -d ../all-evtx -w -r rules/hayabusa/builtin/TerminalServices-LocalSessionManager_Op -s -o timeline.csv -C
"Timestamp","RuleTitle","Level","Computer","Channel","EventID","RecordID","Details","ExtraFieldInfo"
"2022-02-07 19:54:53.958 +09:00","RDP Logon","info","DESKTOP-A8CALR3","RDS-LSM",21,24,"TgtUser: DESKTOP-A8CALR3\defaultuser0 ¦ SessID: 1 ¦ SrcIP: LOCAL","-"
"2022-02-07 20:27:09.657 +09:00","RDP Logoff","info","DESKTOP-A8CALR3","RDS-LSM",23,27,"TgtUser: DESKTOP-A8CALR3\defaultuser0 ¦ SessID: 1","-"
"2022-02-07 20:27:31.076 +09:00","RDP Logon","info","DESKTOP-A8CALR3","RDS-LSM",21,31,"TgtUser: DESKTOP-A8CALR3\defaultuser0 ¦ SessID: 1 ¦ SrcIP: LOCAL","-"
"2022-02-07 21:00:05.965 +09:00","RDP Logoff","info","DESKTOP-A8CALR3","RDS-LSM",23,33,"TgtUser: DESKTOP-A8CALR3\defaultuser0 ¦ SessID: 1","-"
"2022-02-07 21:00:06.169 +09:00","RDP Disconnect","info","DESKTOP-A8CALR3","RDS-LSM",24,36,"TgtUser: DESKTOP-A8CALR3\defaultuser0 ¦ SessID: 1 ¦ SrcIP: LOCAL","-"
"2022-02-07 21:00:06.826 +09:00","RDP Logon","info","DESKTOP-A8CALR3","RDS-LSM",21,39,"TgtUser: DESKTOP-A8CALR3\user ¦ SessID: 2 ¦ SrcIP: LOCAL","-"
"2022-02-07 21:07:37.378 +09:00","RDP Logoff","info","DESKTOP-A8CALR3","RDS-LSM",23,41,"TgtUser: DESKTOP-A8CALR3\user ¦ SessID: 2","-"
"2022-02-07 23:14:50.905 +09:00","RDP Logon","info","DESKTOP-A8CALR3","RDS-LSM",21,46,"TgtUser: DESKTOP-A8CALR3\user ¦ SessID: 1 ¦ SrcIP: LOCAL","-"
"2022-02-08 08:02:06.479 +09:00","RDP Logoff","info","DESKTOP-A8CALR3","RDS-LSM",23,49,"TgtUser: DESKTOP-A8CALR3\user ¦ SessID: 1","-"
"2022-02-08 08:04:10.215 +09:00","RDP Logon","info","DESKTOP-A8CALR3","RDS-LSM",21,53,"TgtUser: DESKTOP-A8CALR3\user ¦ SessID: 1 ¦ SrcIP: LOCAL","-"
"2022-02-08 17:03:15.630 +09:00","RDP Logoff","info","DESKTOP-A8CALR3","RDS-LSM",23,55,"TgtUser: DESKTOP-A8CALR3\user ¦ SessID: 1","-"

@fukusuket fukusuket marked this pull request as draft November 27, 2024 23:53
@YamatoSecurity
Copy link
Collaborator

@fukusuket I see, what about checking both SessID and TgtUser to see if they match?

@fukusuket
Copy link
Collaborator Author

@YamatoSecurity
Yes, both SessID and TgtUser are used as keys in the current implementation as well!
However, this was not sufficient, so I will add the condition that the Logoff event is the one closest in Logon time. 🤔

@fukusuket fukusuket marked this pull request as ready for review November 28, 2024 14:09
@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 28, 2024

@YamatoSecurity
I have modified the following logic to output LogoffTime! Could you check it?🙏

  • TgtUser
  • SessID
  • Logoff event(EID:23) closest in time to the Logon event(EID:21) that matches the above

スクリーンショット 2024-11-28 23 10 42

(Even with this logic, LogoffTime may not produce the expected results, depending on how the event logs appear ... :( I think that this case seems to have no solution because of the RDP event log specification)

Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket Everything looks good to me in my test cases. Thanks so much!

@YamatoSecurity YamatoSecurity merged commit 7b061a6 into main Nov 29, 2024
2 checks passed
@YamatoSecurity YamatoSecurity deleted the add-rdp-log-to-timeline-logon branch November 29, 2024 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add RDP logon/logoff information to timeline-logon command
2 participants