Windows RDP Event Logs: Part-2
In the previous blog we talked about the logging of RDP logs if you had not read the previous blog please find below link:
In this blog we will dive into a scenario involving the investigation of an RDP session. Remote Desktop Protocol (RDP) has become an essential tool for remote access and administration, but it also poses potential security risks. By investigating an RDP session scenario, we aim to uncover the steps, techniques, and best practices involved in understanding and responding to suspicious activity.
Session Disconnect/Reconnect — Event ID 24,25,39,40
LogOff — Event ID 23,4779,4778,4634,4647,9009
Event ID 24: “Remote Desktop Services: Session has been disconnected”
This Event is typically paired with an Event ID 40. While investigating the RDP session we should see why the RDP session was disconnected the reason we will get through the Event ID 40. Also investigate the what other user activity has been in the mean time of this session, You can check that through Session ID.
Event ID 25: “Remote Desktop Services: Session reconnection succeeded”
This Event is typically paired with an Event ID 40. While investigating the RDP session we should see RDP session was reconnected. Also investigate the what other user activity has been in the mean time of this session, You can check that through Session ID.
Event ID 39: “Session has been disconnected by session ”
This event is logged when user has disconnected from the RDP session by selecting corresponding menu instead of just closing the RDP client window.
Note: If session ID are different then session has been disconnected by another user.
Event ID 40: “Session has been disconnected, reason code”
Event ID 40 is registered whenever a session is disconnected, that could be an interruption or the user disconnecting or logging off. Below are the reason listed from where you can see the reason of closure of RDP session.
RDS server client disconnect code: Disconnect reason
0x00000001: The disconnection was initiated by an administrative tool on the server in another session.
0x00000002:The disconnection was due to a forced logoff initiated by an administrative tool on the server in another session.
0x00000003:The idle session limit timer on the server has elapsed.
0x00000004:The active session limit timer on the server has elapsed.
0x00000005:Another user connected to the server, forcing the disconnection of the current connection.
0x00000006:The server ran out of available memory resources.
0x00000007:The server denied the connection.
0x00000009:The user cannot connect to the server due to insufficient access privileges.
0x0000000A (10):The server does not accept saved user credentials and requires that the user enter their credentials for each connection.
0x0000000B (11):The disconnection was initiated by the user disconnecting his or her session on the server or by an administrative tool on the server.
0x0000000C (12):The disconnection was initiated by the user logging off his or her session on the server.
LogOff
Event ID 23: “Remote Desktop Services: Session logoff succeeded”
The event is logged when user has initiated a logoff. This is typically paired with an Event ID 4634 (logoff).
Event ID 4779: “A session was disconnected from a Window Station”
This event is logged in windows when session was disconnected from a Window Station. This event is also logged when a user returns to an existing logon session via Fast User Switching.
You can distinguish between instances of this event associated with Fast User Switching and Remote Desktop by Client Name: and Client Address: which in the case of Remote Desktop will normally be different than the local computer. The session name also indicates Remote Desktop with “RDP” as shown in the example below.
Event ID 4634: “An account was logged off”
This event is generated whenever a user simply disconnects from an RDP session or formally logs off via Windows Start Menu Logoff. This is typically paired with an Event ID 21.
Logon Type: 10 RDP OR Type 7 for Reconnect
Event ID 4778: “A session was reconnected to a Window Station”
This event is also logged when a user returns to an existing logon session via Fast User Switching. You can distinguish between instances of this event associated with Fast User Switching and Remote Desktop by Client Name: and Client Address: which in the case of Remote Desktop will normally be different than the local computer. The session name also indicates Remote Desktop with “RDP” as shown in the example.
Event ID 4647: User initiated logoff
When a logoff is initiated by a user, event 4647 is generated. Once this event is triggered, user-initiated activities can no longer occur. This is different from event 4634, which is generated when a session no longer exists as it was terminated.
Event ID 9009: “The Desktop Window Manager has exited with code ()”
The Desktop Window Manager has exited with code (0xd00002fe) indicates that the RDP connection was disconnected and not that the user ended it using logoff.
I hope you have gotten better insight in RDP logs and how to corelate them together during the investigation. I appreciate your engagement and look forward to further discussions on investigating RDP sessions and related cybersecurity topics.
