[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pen-test
Subject:    Re: XP RDP event log 682 ?
From:       H Carvey <keydet89 () yahoo ! com>
Date:       2004-12-14 16:35:34
Message-ID: 20041214192814.11435.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <BAY24-DAV3EF0369DD0B58FF913A23DAAA0@phx.gbl>

Bill,

> I have a few event log 682's (user has reconnected to a disconnected TS
> session) on an XP machine at work that shows:
> Session Name:    Console
> Client Name:    Unknown
> Client Address:    Unknown
> 
> All other event log 682's show Session Name:    RDP-Tcp# and they also
> display the Client Name and Address.
> 
> Does this mean that these Unknown ones connected via Console were
> connections made by someone who hacked the password and used a stealthed OS
> ?

Perhaps not (what's a "stealthed OS"???)

A quick search on EventID.net reveals:
http://www.eventid.net/display.asp?eventid=682&eventno=1802&source=Security&phase=1

On TechNet:
http://www.microsoft.com/technet/security/guidance/secmod144.mspx

Scroll down to "Logon Events".

See also: "...Event ID 682 indicates when a connection to a previously disconnected \
session has occurred."

Hope that helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com


[prev in list] [next in list] [prev in thread] [next in thread]