Hi Guys,
I need some guidence on how to establish if any remote logons was made onto Windows Server 2003.
What can i look at? what enrtry in the Evt logs.
or any other files that can assist me?
Well, I guess the first question is, are logins being recorded? This is easy to check for, using RegRipper (assuming that you're working with an acquired image).
If logins are being audited, you will find them (if the logs haven't rolled over…depends on the size of the Event Logs and how long it's been since the event in question occurred…) in the Security Event Log. You're most interested in 528 (type 10 or 11, assoc. w/ RDP) events, or 540 type 3 events.
Now…that is assuming that what you're referring to is logging in via NetBIOS, such as accessing shares, RDP, etc. If you're interested in something like pcAnywhere or VNC logins, you'll need to check for those applications, and then determine if there are any logs.
Not knowing more about your situation, one of the things that you may need to be aware of is the reverse shell found to be used in a number of incidents. This is usually dropped on a system, and rather than waiting for connections like a VNC server, it pushes the connection out to a waiting client. In cases such as this, you would not see a login.
HTH
Yes i am working of an image. can you tell me how regripper will work in this case?
Yes i am working of an image. can you tell me how regripper will work in this case?
Pretty well, actually.
Sorry if that's not the answer you're looking for…but I'm not sure what it is you're asking…