Scribd
Upload
86 views6 pages

RDP Event Log Forensics

The document discusses various Remote Desktop Protocol (RDP) related events that may be found in Windows event logs, including: 1) Successful and unsuccessful RDP logon events that indicate if an account was logged on or failed to log on. 2) RDP session disconnect events that occur when a session is disconnected from a Window Station, such as when the RDP window is closed. 3) RDP session reconnect events that show when a disconnected session is reconnected to a Window Station.

Uploaded by

Amrishu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
86 views6 pages

RDP Event Log Forensics

The document discusses various Remote Desktop Protocol (RDP) related events that may be found in Windows event logs, including: 1) Successful and unsuccessful RDP logon events that indicate if an account was logged on or failed to log on. 2) RDP session disconnect events that occur when a session is disconnected from a Window Station, such as when the RDP window is closed. 3) RDP session reconnect events that show when a disconnected session is reconnected to a Window Station.

Uploaded by

Amrishu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

RDP Successful Logon

Event ID 4624
Event ID 1149 Type 10, 7 for Reconnect Event ID 21 Event ID 22

“User authentication succeeded” “Remote Desktop Services: “Remote Desktop Services:


“An account was successfully logged on” Session logon succeeded:” Shell start notification received:”
Microsoft-Windows-TerminalServices-
Security.evtx Microsoft-Windows-TerminalServices- Microsoft-Windows-TerminalServices-
RemoteConnectionManager%4Operational.evtx
LocalSessionManager%4Operational.evtx LocalSessionManager%4Operational.evtx
}

}
Network Connection Authentication Logon

youtube.com/13cubed
Source: https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation
RDP Unsuccessful Logon

Event ID 4625
Event ID 1149 Type 10, 7 for Reconnect

“User authentication succeeded” “An account failed to log on”


Microsoft-Windows-TerminalServices-
RemoteConnectionManager%4Operational.evtx Security.evtx
}

}
Network Connection Authentication

youtube.com/13cubed
Source: https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation
RDP Session Disconnect
(Window Close)

Event ID 4779 Event ID 4634


Event ID 24 Event ID 40 Type 10, 7 for Reconnect

“Remote Desktop Services: “Session <X> has been disconnected, “A session was disconnected “An account was logged off”
Session has been disconnected:” reason code <Z>” from a Window Station”

Microsoft-Windows-TerminalServices- Microsoft-Windows-TerminalServices- Security.evtx Security.evtx


LocalSessionManager%4Operational.evtx LocalSessionManager%4Operational.evtx
}
Session Disconnect / Reconnect

youtube.com/13cubed
Source: https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation
RDP Session Disconnect
(Purposeful Disconnect via Start > Disconnect)

Event ID 4779 Event ID 4634


Event ID 24 Event ID 39 Event ID 40 Type 10, 7 for Reconnect

“Remote Desktop Services: “Session <X> has been disconnected “Session <X> has been disconnected, “A session was disconnected “An account was
Session has been disconnected:” by session <Y>” reason code <Z>” from a Window Station” logged off”

Microsoft-Windows-TerminalServices- Microsoft-Windows-TerminalServices- Microsoft-Windows-TerminalServices- Security.evtx Security.evtx


LocalSessionManager%4Operational.evtx LocalSessionManager%4Operational.evtx LocalSessionManager%4Operational.evtx

}
Session Disconnect / Reconnect

youtube.com/13cubed
Source: https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation
RDP Session Reconnect

Event ID 4624
Event ID 1149 Event ID 25 Event ID 40* Event ID 4778
Type 7

“User authentication succeeded” “Remote Desktop Services: “Session <X> has been disconnected, “A session was reconnected
“An account was successfully logged on” Session reconnection succeeded:” to a Window Station”
reason code <Z>”
Microsoft-Windows-TerminalServices- Security.evtx
RemoteConnectionManager%4Operational.evtx Microsoft-Windows-TerminalServices- Microsoft-Windows-TerminalServices- Security.evtx
LocalSessionManager%4Operational.evtx LocalSessionManager%4Operational.evtx

*Events also indicate/correlate to reconnections


}

}
Network Connection Authentication Session Disconnect / Reconnect

youtube.com/13cubed
Source: https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation
RDP Session Logoff

Event ID 4634
Event ID 23 Type 10, 7 for Reconnect Event ID 4647 Event ID 9009

“Remote Desktop Services: “An account was logged off” “The Desktop Window Manager has
Session logoff succeeded:” “User initiated logoff:” exited with code (<X>).”
Security.evtx Security.evtx System.evtx
Microsoft-Windows-TerminalServices-
LocalSessionManager%4Operational.evtx

}
Logoff

youtube.com/13cubed
Source: https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation

You might also like