Inbound Logon Artifacts

The Inbound Logon Artifact Category contains artifacts that show remote or local access to a given computer. Oftentimes, there will be several artifacts that get merged together for a single logon session.

Cyber Triage defines a logon session as:

• A successful local logon that starts when the user logs in and ends when the log off. Screen locks do not break a session.
• A successful remote logon that starts with a connection and ends with a disconnect.
• A failed logon attempt

Key Attributes of the Artifacts

Logon artifacts often come from event logs and they often represent stages in the logon session. Key attributes from these artifacts often include:

• A time associated with the event
• The event that occurred (such as a connection, authentication, or disconnect)
• The local OS account being used
• The remote host the logon is coming from
• Some kind of session identifier to link related events

Why Is It Important For DFIR?

Inbound Logon artifacts are useful for DFIR because they answer investigative questions about:

• What users had access to the system
• Where users accessed the system from
• Attempts to guess passwords

User credentials are often acquired by the attacker in an intrusion and they allow the attacker to move within a network. They can “move laterally” between hosts to get closer to intellectual property or use them to get access to a public facing computer that has Remote Desktop enabled.

It’s important to review Inbound Logons to look for sessions with:

• User accounts that should not be logging into the given system
• Remote hosts that are not typical for the given user (such as from a different country)

Specific Artifacts

• Remote Connection Manager Log
  • Remote Connection Manager – Event 261
  • Remote Connection Manager – Event 1149
• Windows Terminal Services – Local Session Manager Log
  • Local Session Manager – Event 21 (Logon)
  • Local Session Manager – Event 22 (Shell Start)