[prev in list] [next in list] [prev in thread] [next in thread]
List: pen-test
Subject: Re: XP RDP event log 682 ?
From: H Carvey <keydet89 () yahoo ! com>
Date: 2004-12-14 16:35:34
Message-ID: 20041214192814.11435.qmail () www ! securityfocus ! com
[Download RAW message or body]
In-Reply-To: <BAY24-DAV3EF0369DD0B58FF913A23DAAA0@phx.gbl>
Bill,
> I have a few event log 682's (user has reconnected to a disconnected TS
> session) on an XP machine at work that shows:
> Session Name: Console
> Client Name: Unknown
> Client Address: Unknown
>
> All other event log 682's show Session Name: RDP-Tcp# and they also
> display the Client Name and Address.
>
> Does this mean that these Unknown ones connected via Console were
> connections made by someone who hacked the password and used a stealthed OS
> ?
Perhaps not (what's a "stealthed OS"???)
A quick search on EventID.net reveals:
http://www.eventid.net/display.asp?eventid=682&eventno=1802&source=Security&phase=1
On TechNet:
http://www.microsoft.com/technet/security/guidance/secmod144.mspx
Scroll down to "Logon Events".
See also: "...Event ID 682 indicates when a connection to a previously disconnected \
session has occurred."
Hope that helps,
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic