Remote Desktop Incident Response
It happened again, EC2 Abuse let you know you have a potentially compromised EC2 windows instance. You get into the account and there it is Security group 0.0.0.0/0 for 3389 because you had another lazy admin that doesn't want to lock down RDP to his IP range.
Yes of course this problem is multi-tiered and requires configuration management training and a host of other things that are required, but short time you have to find out what/how something happened. Something that is near and dear to my Incident Response. AWS forensics is a unique beast and the process of isolation, taking a snapshot, and mounting to another drive are a huge aspect of investigation. One great place to start would be this paper by Ken Hartman - it is a SANS Gold Paper detailing analysis of a Linux system. Analyzing EC2 instances is a unique skill of itself but in this case I just want to look at RDP attacks. In a recent case I identified the attack early so I had Security Logs to look at. This is fortunate - there are an RDP operational log in windows vista+ but in this case I had to look at the Security Logs.
Everyone who has had the pleasure of analyzing windows eventlogs has come to the realization that the Message field is not easily indexed in using the windows eventlog standard format. However, it is all stored in xml - so one simple way to pull out the IP metadata is first export to xml and then import to xml.
$logs = get-winevent -Path .\Security.evtx
[xml]$stuffs = $logs.toxml()
This allows you to then parse out the logs for IPs username and all the other goodness that you traditionally have to push into Splunk/elastic to analyze.
Taking this I can then analyze when there are more than 3 failed logins followed by a successful login by IP:
This will print out the user, recordID, DateTime, and IP of the offending log - simpler way to analyze a lot of data other than scrolling through eventlogviewer if you ask me :)
Full code can be found - here - happy IR days!