DWRCSAccess.log artifact
文章介绍了 DameWare 的 DWRCSAccess.log 文件,该文件记录远程控制事件的本地化消息和英文元数据。消息包括用户连接、断开及认证失败等信息;元数据包含详细系统和安全信息,可能对攻击者分析有用。 2025-2-5 23:29:47 Author: www.hexacorn.com(查看原文) 阅读量:7 收藏

I learned about DameWare’s DWRCSAccess.log log file from this blog post. Then, when I searched this file name on Google I only got a very small number of results. Obviously, it immediately piqued my interest and I decided to describe the content of the file here.

The content of this file is just a plain text, with parts of it often localized, and it looks like it contains the info about subsequent logging in events that are appended to the log file.

The parts that are localized are language-specific ‘messages’ that describe the reason why the metadata has been logged in a first place, and includes entries like these:

  • The following user has connected via remote control.
  • The following user has disconnected from remote control.
  • Disconnected due to a time-out while waiting for a response for a shared session request.
    Server closed the connection.
  • Authentication Failed: Using Smart Card Logon. Please check previous event log entries for possible cause.
  • Authentication Failed: Using Encrypted Windows Logon.
  • Der folgende Benutzer ist durch Fernzugriff verbunden. (The following user is connected remotely.)
  • Die Anmeldeerlaubnis wurde Ihnen nicht erteilt. Benutzer getrennt. (You have not been granted permission to log in. User disconnected.)
  • etc.

Then comes the actual metadata, which seems to be always stored in English and usually includes a set of the following, mostly self-explanatory fields:

Date:
Computer Name:
User ID:
Logon As ID:
Domain:
Desktop User ID:
Desktop Name:
System Settings Using:
Desktop State:
Permission Required:
Access Approved By:
Access Declined By:
Access Request Timeout:
Access Request Disconnected:
OS Product ID:
OS Registered Owner:
OS Registered Organization:
Host Name from Peer:
IP Address(es) from Peer:
Peer Host Name:
Peer IP Address:
Protocol Version - DWRCC.EXE:
Protocol Version - DWRCS.EXE:
Product Version - DWRCS.EXE:
Product Version - DWRCC.EXE:
Proxy Host Used:
Proxy Host:
Proxy Destination Host:
Proxy Destination Port:
Proxy Callback Port:
Authentication Type:
Last Error Code:
Last Error Code (WSA):
Host Port Number:
Host IP Address:
Host Name:
Absolute timeout setting:
Connect/Logon timeout setting:
Access Check:
Registered:
WTS Session:
Used RSA Public-Key Key Exchange (1024 bit keys).
Encryption IDs:
Hashing IDs:
Used Shared Secret:
Registration:

Some of these may be containing a crucial information about the attackers that may not be present anywhere else.


文章来源: https://www.hexacorn.com/blog/2025/02/05/dwrcsaccess-log-artifact/
如有侵权请联系:admin#unsafe.sh