Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Came across a very succinct post about the “chain of RDP-related Event IDs” from Sujay Adkesar at https://thelocalh0st.github.io/posts/rdp/. They point out the importance of creating a narrative from logs and being able to visualize the timeline of events. I think this might be a fun standalone tool to write. I’m sure this ability probably already exists within various SIEMs and so forth.
The tool would be able to take in the EventIDs from:
It would correlate them to create an easily understandable graphical timeline. This tool would not be for hunting; but instead for presenting evidence to others. It should run on both the connecting and connected systems.
Working on this would really solidify my understanding of RDP timelines and could marry well with my prior look into tools like RDCMan and Remote Desktop Managers.
tags: #RDP #Windows-Events