X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fmsauth_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fmsauth_rules.xml;h=51ed17b303904f31eac36492fbb1729f8111cb94;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b
diff --git a/debian/ossec-hids/var/ossec/rules/msauth_rules.xml b/debian/ossec-hids/var/ossec/rules/msauth_rules.xml
new file mode 100644
index 0000000..51ed17b
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/msauth_rules.xml
@@ -0,0 +1,972 @@
+
+
+
+6
+
+
+
+ windows
+ Group of windows rules.
+
+
+
+ 18100
+ ^INFORMATION
+ Windows informational event.
+
+
+
+ 18100
+ ^WARNING
+ Windows warning event.
+
+
+
+ 18100
+ ^ERROR
+ Windows error event.
+ system_error,
+
+
+
+ 18100
+ ^AUDIT_SUCCESS|^success
+ Windows audit success event.
+
+
+
+ 18100
+ ^AUDIT_FAILURE|^failure
+ Windows audit failure event.
+
+
+
+ 18105
+ ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$
+ Windows Logon Failure.
+ win_authentication_failed,
+
+
+
+ 18104
+ ^528$|^540$|^673$|^4624$|^4769$
+ Windows Logon Success.
+ authentication_success,
+
+
+
+ 18105
+ ^577$|^4673$
+ Failed attempt to perform a privileged
+ operation.
+
+
+
+ 18104
+ ^682$|^683$|^4778$|^4779$
+ Session reconnected/disconnected to winstation.
+
+
+
+ 18104
+ ^624$|^626$|^4720$|^4722$
+ User account enabled or created.
+ adduser,account_changed,
+
+
+
+ 18104
+ ^628$|^642$|^685$|^4738$|^4781$
+ User account changed.
+ account_changed,
+
+
+
+ 18104
+ ^630$|^629$|^4725$|^4726$
+ User account disabled or deleted.
+ adduser,account_changed,
+
+
+
+ 18104
+ ^612$|^643$|^4719$|^4907$|^4912$|^4719$
+ Windows Audit Policy changed.
+ policy_changed,
+
+
+
+ 18104
+ ^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|
+ ^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|
+ ^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|
+ ^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|
+ ^665$|^4761$|^666$|^4762$
+ Group Account Changed
+ group_changed,win_group_changed,
+
+
+
+ 18104
+ ^640$
+ General account database changed.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640
+ adduser,account_changed,
+
+
+
+ 18104
+ ^644$|^4740$
+ User account locked out (multiple login errors).
+ authentication_failures,
+
+
+
+ 18104
+ ^513$|^4609$
+ Windows is shutting down.
+ system_shutdown,
+
+
+
+ 18104
+ ^517$|^1102$
+ Windows audit log was cleared.
+ logs_cleared,
+
+
+
+ 18107
+ alert_by_email
+
+ First time this user logged in this system.
+ authentication_success,
+
+
+
+ 18105
+ ^680$
+ Windows login attempt (ignored). Duplicated.
+
+
+
+ 18102, 18103
+ ^20187$|^20014$|^20078$|^20050$|^20049$|^20189$
+ Remote access login failure.
+ authentication_failed,
+
+
+
+ 18101
+ ^20158$
+ Remote access login success.
+ authentication_success,
+
+
+
+ 18104
+ ^646$|^645$|^647$|^4741$|^4742$|^4743$
+ Computer account added/changed/deleted.
+ account_changed,
+
+
+
+
+ ^65xxx
+ Group account added/changed/deleted.
+ This rule has been deprecated
+ account_changed,
+
+
+
+ 18103
+ ^13570$
+ Windows file system full.
+ low_diskspace,
+
+
+
+
+
+ 18106
+ ^529$|^4625$
+ Logon Failure - Unknown user or bad password.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
+ win_authentication_failed,
+
+
+
+ 18106
+ ^530$
+ Logon Failure - Account logon time restriction
+ violation.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530
+ win_authentication_failed,login_denied,
+
+
+
+ 18106
+ ^531$
+ Logon Failure - Account currently disabled.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531
+ win_authentication_failed,login_denied,
+
+
+
+ 18106
+ ^532$
+ Logon Failure - Specified account expired.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532
+ win_authentication_failed,login_denied,
+
+
+
+ 18106
+ ^533$
+ Logon Failure - User not allowed to login at
+ this computer.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533
+ win_authentication_failed,login_denied,
+
+
+
+ 18106
+ ^534$
+ Logon Failure - User not granted logon type.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534
+ win_authentication_failed,
+
+
+
+ 18106
+ ^535$
+ Logon Failure - Account's password expired.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535
+ win_authentication_failed,
+
+
+
+ 18106
+ ^536$|^537$
+ Logon Failure - Internal error.
+ win_authentication_failed,
+
+
+
+ 18106
+ ^539$
+ Logon Failure - Account locked out.
+ win_authentication_failed,
+
+
+
+ 18105
+ ^673$|^675$|^681$|^4769$
+ Windows DC Logon Failure.
+ win_authentication_failed,
+
+
+
+ 18104
+ ^520$|^4616$
+ System time changed.
+ time_changed,
+
+
+
+ 18102
+ ^1076$
+ unexpected shutdown
+ system_error, system_shutdown,
+ Unexpected Windows shutdown.
+
+
+
+ 18104
+ ^671$|^4767$
+ User account unlocked.
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
+ account_changed,
+
+
+
+ 18114
+ ^631$|^635$|^658$
+ Security enabled group created.
+ adduser,account_changed,
+
+
+
+ 18114
+ ^634$|^638$|^662$
+ Security enabled group deleted.
+ adduser,account_changed,
+
+
+
+
+ 18101
+ ^7040$
+ policy_changed,
+ Service startup type was changed.
+ This does not appear to be logged on Windows 2000.
+
+
+
+ 18101
+ ^11724$
+ alert_by_email
+ Application Uninstalled.
+
+
+
+ 18101
+ ^11707$
+ alert_by_email
+ Application Installed.
+
+
+
+ 18104
+ ^4608$
+ Windows is starting up.
+
+
+
+ 18104
+ ^538$|^551$|^4634$|^4647$
+ Windows User Logoff.
+
+
+
+
+
+ 18104
+ ^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|
+ ^663$|^4759$
+ Group Account Created
+ group_created,win_group_created,
+
+
+
+ 18104
+ ^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|
+ ^667$|^4763$
+ Group Account Deleted
+ group_deleted,win_group_deleted,
+
+
+
+ 18200
+ ^631$|^4727$
+ Security Enabled Global Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631
+
+
+
+ 18114
+ ^632$|^4728$
+ Security Enabled Global Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632
+
+
+
+ 18114
+ ^633$|^4729$
+ Security Enabled Global Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633
+
+
+
+ 18201
+ ^634$|^4730$
+ Security Enabled Global Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634
+
+
+
+ 18200
+ ^635$|^4731$
+ Security Enabled Local Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635
+
+
+
+ 18114
+ ^636$|^4732$
+ Security Enabled Local Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636
+
+
+
+ 18114
+ ^637$|^4733$
+ Security Enabled Local Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637
+
+
+
+ 18201
+ ^638$|^4734$
+ Security Enabled Local Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638
+
+
+
+ 18114
+ ^639$|^4735$
+ Security Enabled Local Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639
+
+
+
+ 18114
+ ^641$|^4737$
+ Security Enabled Global Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641
+
+
+
+ 18200
+ ^658$|^4754$
+ Security Enabled Universal Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658
+
+
+
+ 18114
+ ^659$|^4755$
+ Security Enabled Universal Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659
+
+
+
+ 18114
+ ^660$|^4756$
+ Security Enabled Universal Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660
+
+
+
+ 18114
+ ^661$|^4757$
+ Security Enabled Universal Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661
+
+
+
+ 18201
+ ^662$|^4758$
+ Security Enabled Universal Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662
+
+
+
+ 18207,18208
+ ID:\s+\p*S-1-5-32-544
+ Administrators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0
+ Everyone Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9
+ Enterprise Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11
+ Authenticated Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13
+ Terminal Server Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512
+ Domain Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513
+ Domain Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18223,18203
+ Target Account Name: None
+ Local User Group NONE
+ Bogus group user added to upon creation
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514
+ Domain Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515
+ Domain Computers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516
+ Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517
+ Cert Publishers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518
+ Schema Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519
+ Enterprise Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520
+ Group Policy Creator Owners Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553
+ RAS and IAS Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545
+ Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546
+ Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547
+ Power Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548
+ Account Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549
+ Server Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550
+ Print Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551
+ Backup Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552
+ Replicators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554
+ Pre-Windows 2000 Compatible Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555
+ Remote Desktop Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556
+ Network Configuration Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557
+ Incoming Forest Trust Builders Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558
+ Performance Monitor Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559
+ Performance Log Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560
+ Windows Authorization Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561
+ Terminal Server License Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562
+ Distributed COM Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498
+ Enterprise Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529
+ Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569
+ Cryptographic Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571
+ Allowed RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572
+ Denied RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573
+ Event Log Readers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574
+ Certificate Service DCOM Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18101
+ ^200$|^300$|^302$
+ TS Gateway login success.
+ authentication_success,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18102, 18103
+ ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$
+ TS Gateway login failure.
+ authentication_failed,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18101
+ ^202$|^303$
+ TS Gateway user disconnected.
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+
+ 18107,18149
+ ^528$|^538$|^540$|^4624$
+ ^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON
+ Windows Logon Success (ignored).
+
+
+
+
+
+ 18139
+ Failure Code: 0x1F
+ Windows DC integrity check on decrypted
+ field failed.
+
+ win_authentication_failed,attacks,
+
+
+
+ 18139
+ Failure Code: 0x22
+ Windows DC - Possible replay attack.
+
+ win_authentication_failed,attacks,
+
+
+
+ 18139
+ Failure Code: 0x25
+ Windows DC - Clock skew too great.
+
+ win_authentication_failed,attacks,
+
+
+
+
+
+ 18105
+ ^18456$
+ win_authentication_failed,
+ MS SQL Server Logon Failure.
+
+
+
+ 18104
+ ^18454$|^18453$
+ MS SQL Server Logon Success.
+ authentication_success,
+
+
+
+
+ 18107
+ ^4624$
+ Logon Type: 8
+ MS Exchange Logon Success.
+
+
+
+ 18149
+ ^4634$
+ Logon Type: 8
+ User Logoff Exchange.
+
+
+
+
+
+ 18108
+
+ Multiple failed attempts to perform a
+ privileged operation by the same user.
+
+
+
+ win_authentication_failed
+ Multiple Windows Logon Failures.
+ authentication_failures,
+
+
+
+ 18105
+ Multiple Windows audit failure events.
+
+
+
+ 18103
+ Multiple Windows error events.
+
+
+
+ 18102
+ Multiple Windows warning events.
+
+
+
+ 18125
+ Multiple remote access login failures.
+ authentication_failures,
+
+
+
+ 18258
+ Multiple TS Gateway login failures.
+ authentication_failures,
+
+
+
+
+ 18103
+ chromoting
+ : chromoting: \.* Access denied for client:
+ Chrome Remote Desktop attempt - access denied
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client connected:
+ Chrome Remote Desktop attempt - connected
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client disconnected:
+ Chrome Remote Desktop attempt - disconnected
+
+
+
+
+