This repository contains resources related to the forensic analysis made on Microsoft Remote Access VPN and available on this blog post: https://www.synacktiv.com/publications/forensic-aspects-of-microsoft-remote-access-vpn.html.
- a Velociraptor client artifact Windows.EventLogs.RemoteAccessVPN.yaml
- 7 chainsaw rules in the microsoft_rasvpn_events directory
- and a Python script to execute on the VPN server that allows to dump the RaAcctDb WID database in CSV files csv_export_raacctdb.py
Import the Velociraptor Artifact Exchange pack or import Windows.EventLogs.RemoteAccessVPN.yaml from this repository.
-
Summary of the artifact
-
VPN Client logs
-
VPN Server logs
-
NPS Server logs
Specify in your chainsaw cli arguments the microsoft_rasvpn_events directory, or use the rules from chainsaw repository from PR TODO.
To export the data stored by Remote access reporting feature in the WID RaAcctDb, you must:
- Install Python3 in the Remote Access VPN server
- Install pyodbc package:
pip install pyodbc - Copy csv_export_raacctdb.py in a local directory
- Create an output directory
- Run the script:
python csv_export_raacctdb.py <out_dir>(relative or absolute path are accepted) - A CSV file is created for each table
2023 - Théo Letailleur, Synacktiv
The contents of this repository is available under AGPL License
- Théo Letailleur: theo.letailleur@synacktiv.com
- CSIRT Synacktiv: csirt@synacktiv.com