- Get link
- X
- Other Apps
Whilst on a recent engagement, I needed to provide some clarity to others in regards to the encoded string within Event ID 1029 which is located within the "Microsoft-Windows-TerminalServices-RDPClient/Operational.evtx" Windows event log.
This event is created on a host system which is initiating a Remote Desktop Connection to another system, it contains a hash of the username being used during this connection.
Within DFIR, we are able to use this data to track popped usernames which threat actors may be using while within the compromised network.
The encoded string is obfuscated by using a Unicode form, which would likely contain domain &/or username.
To see this decoded string use the following CyberChef recipe, or click on the following link: CyberChef
https://gchq.github.io/CyberChef/#recipe=Decode_text('UTF-8%20(65001)')Encode_text('UTF-16LE%20(1200)')SHA2('256',64,160)From_Hex('Space')To_Base64('A-Za-z0-9%2B/%3D')&input=Q3liZXJMaWFt
However you are only able to decode this string one-way in CyberChef, So not very useful when trying to decode these on mass!
After doing a dig on GitHub, I was able to locate a repo which enables you to encode a single username name or a tool to provide a wordlist to match the hash of the initiating user.
During the engagement we adapted and extended a list produced via an export of Active Directory to 'crack' the usernames used by the threat actor, its noway near perfect, but something :D
Special thanks to BeanBagKing on this one!