Windows RDP Event Logs: Part-1
Remote Desktop Protocol (RDP) is a widely used technology that allows users to connect remotely to another computer or server over a network. As a powerful tool for remote administration, RDP has become an attractive target for cybercriminals. Detecting and investigating suspicious RDP sessions is crucial for identifying potential security breaches, understanding attacker behaviors, and taking appropriate actions to mitigate the risks. In this article, we will explore the process of investigating RDP sessions, including the tools, techniques, and best practices that can help unravel the digital footprints left behind. In this blog I will try to explain all the Events log during the RDP session so that it will be easy to investigate incase of any incident.
Network Connection — Event ID 1179
Authentication — Event ID 4624,4625
Logon — Event ID 21,22
Initial Indicators of Suspicious RDP Activity: The investigation of RDP sessions often begins with the identification of initial indicators that suggest a potential security incident. These may include:
a. Unusual login patterns: Numerous failed login attempts, repeated login activity from different IP addresses, or login attempts during unusual hours.
b. Anomalous user behavior: Unusual commands, file transfers, or session disconnections that deviate from normal user activity.
c. Unauthorized access: Instances where an authorized user’s account has been compromised, resulting in unauthorized RDP logins.
While Investigating the RDP Session first we should know how RDP connection is established. Below are some Event ID you should know while investigation
Network Connection
Event Id 1179: “User authentication succeeded”
Event Location: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Description: The user “<username>” connected from “<client device name>” on “<date and time>” and is using session ID “<session ID>”. The connection was successful.
In the log entry, “<username>” represents the user account that initiated the RDP session, “<client device name>” indicates the name of the device from which the user connected, “<date and time>” shows when the session was established, and “<session ID>” corresponds to the unique identifier assigned to the RDP session.
Event ID 1179 can be valuable for auditing and troubleshooting RDS environments, as it allows administrators to track user connections, diagnose connectivity issues, and monitor RDP session activities on RDSH servers.
Authentication
Event ID 4624: “An account was successfully logged on”
Event ID 4624 is a Windows Security event that is generated in the Windows Event Viewer when a user successfully logs on to a computer or server. The event provides information about the logon session, including the type and logon process used.
Type 10: Event ID 4624 with Type 10 indicates a remote interactive logon. It occurs when a user successfully logs on to a computer or server remotely using Remote Desktop Services (RDS) or a similar remote access method. This type of logon occurs when a user establishes a remote connection to the system and interacts with it as if they were physically present at the machine.
Type 7: Event ID 4624 with Type 7 indicates an unlock event. It occurs when a user unlocks a previously locked session. This can happen when a user presses Ctrl+Alt+Delete and enters their credentials to unlock the workstation or when a previously locked Remote Desktop session is resumed.
Event ID 4625: “An account failed to log on”
When RDP login failed after user is authenticated it will generate 4625 Type 3 failure when NLA is Enabled or When NLA is not enabled 4625 Type 10 failure (Remote Interactive /Terminal Services / Remote Desktop).
A “Source Network Address” of “LOCAL” simply indicates a local session reconnection ( local logon) and does NOT indicate a remote RDP session reconnection.
Logon
Event ID 21: “Remote Desktop Services: Session logon succeeded:”
This event appears after a user has been successfully authenticated ( Remote Desktop Services: Session logon succeeded ), so long as the “Source Network Address” is NOT “LOCAL”. Event ID 22 immediately precedes after this event.
Event Location: Microsoft-Windows-TerminalServices-LocalSesssionManager%4Operational.evtx
Event ID 22: “Remote Desktop Services: Shell start notification received:”
Indicates successful RDP logon and shell (i.e. Windows GUI Desktop) start, so long as the “Source Network Address” is NOT “LOCAL”. Event ID 22 usually immediately proceeds Event ID 21.
Event Location: Microsoft-Windows-TerminalServices-LocalSesssionManager%4Operational.evtx
TIP: Indicates successful RDP logon and session instantiation, so long as the “Source Network Address” is NOT “LOCAL”.
Thank you for taking the time to read this blog on investigating RDP sessions. Please feel free to leave your comments and suggestions below. I appreciate your engagement and look forward to further discussions on investigating RDP sessions and related cybersecurity topics.
Hope it provides a better a insights for investigation of RDP logs, Will cover the RDP session reconnect, Disconnect logoff in the next writeup.
