The Inbound Logon Artifact Category contains artifacts that show remote or local access to a given computer. Oftentimes, there will be several artifacts that get merged together for a single logon session.
Cyber Triage defines a logon session as:
- A successful local logon that starts when the user logs in and ends when the log off. Screen locks do not break a session.
- A successful remote logon that starts with a connection and ends with a disconnect.
- A failed logon attempt
Key Attributes of the Artifacts
Logon artifacts often come from event logs and they often represent stages in the logon session. Key attributes from these artifacts often include:
- A time associated with the event
- The event that occurred (such as a connection, authentication, or disconnect)
- The local OS account being used
- The remote host the logon is coming from
- Some kind of session identifier to link related events
Why Is It Important For DFIR?
Inbound Logon artifacts are useful for DFIR because they answer investigative questions about:
- What users had access to the system
- Where users accessed the system from
- Attempts to guess passwords
User credentials are often acquired by the attacker in an intrusion and they allow the attacker to move within a network. They can “move laterally” between hosts to get closer to intellectual property or use them to get access to a public facing computer that has Remote Desktop enabled.
It’s important to review Inbound Logons to look for sessions with:
- User accounts that should not be logging into the given system
- Remote hosts that are not typical for the given user (such as from a different country)
Inbound Logon Artifacts
Windows Terminal Server – Remote Connection Manager Log
What Is It? The “Windows Terminal Server – Remote Connection...