Unraveling RDP Events: Understanding Remote Desktop Protocol for Enhanced Security.
Within the security operation center, visibility is everything. The security operations team responds swiftly and forcefully to potential risks while being aware of information about users, assets, and known threats across security devices, servers, networks, and other sources.
Windows event logs can help with this by offering crucial observability into what is happening across the network of your organization and digital footprint. But for SOC teams, figuring out where to look is not always simple. This is so because your logs are probably capturing huge amounts of data. It’s not always obvious which events, such as a security breach, indicate something significant and require further investigation.
It is becoming more and more common for bad actors to manipulate or clear the security event logs on compromised machines, and depending on the situation, RDP sessions sometimes don’t even register as just a type 10 logon. As actions are taken and various processes are involved, RDP activities will record events in a number of different logs.
Here are some event IDS to look on for Remote Desktop Services :
According to research on remote desktop connections, a single event id is insufficient to identify the connection. RDP connection logging can be comprehended more clearly with the help of multiple sequences of event ids relevant to events. The following are some events for enhancing visibility on logs:
Successful RDP connection
Event ID 1149 does not denote a successful user authentication; rather, it denotes a successful network authentication, i.e., that an RDP network connection to the target machine was successfully made, and that the target machine successfully responded by displaying a login window for the subsequent step of entering credentials. For instance, WELL BEFORE I even entered any credentials, if I launched the RDP Desktop Connection program on my computer, entered the target IP, and hit enter, it would immediately display the target system’s screen and generate an 1149 Event ID indicating I had successfully connected to the target.
“An Event ID 1149 DOES NOT indicate successful authentication to a target, only a successful RDP network connection”.
Event ID 4624 refers to the user successfully logged on to the system. Type 3 logon (for Network level authentication)
Type 10 logons for RDP
Logon type 7 reconnection to the machine through RDP (occurs when a user unlocks (or attempts to unlock) a previously locked workstation.)
Event ID 21:This event appears after a user has been successfully authenticated remote desktop services (session logon succeeded)
Event ID 22: This event follows Event ID 21 immediately. A “Source Network Address” of “LOCAL” simply denotes a local logon and DOES NOT denote a remote RDP logon, it should be noted. During system (re)boot/initialization, this event with the “Source Network Address” of “LOCAL” will also be produced (shortly after the previous associated Event ID 21).
Unsuccessful RDP connection
Event ID 4625: When an attempt to log into RDP fails after the user has been authenticated, a 4625 Type 3 failure (if NLA is enabled) or a 4625 Type 10 failure (if NLA is not enabled) will be generated (Remote Interactive/Terminal Services/Remote Desktop).
This is helpful in recognizing (brute force) failure attempts and determining when and where an attacker might be using compromised or stolen credentials. The Status/Sub Status Code will also be useful in identifying legitimate failures (such as “expired password”) and possibly offering insight into attacker activity (for example, repeated “user name does not exist” codes could indicate brute force guessing by a tool and/or a more targeted lack of username knowledge/awareness by the attacker).
RDP Session Disconnect (Windows Close)
Event ID 24:While investigating the RDP session, we should determine why it was terminated; this can be done by looking at Event ID 40. Additionally, look into any previous user activity that occurred during this session. You can do this by using the Session ID.
When the “Source Network Address” contains a remote IP address, the user has ended an RDP session. A local session disconnection and NOT a remote RDP disconnection are both indicated by a “Source Network Address” of “LOCAL”. Take note of the “Source Network Address” for the RDP connection’s origin. This is frequently used in conjunction with Event ID 40. Additionally, take note of the SessionID to track/link additional Event Log activity to this user’s RDP session.
Event ID 40: Even though “Session has been disconnected” is always the description, these events also indicate or relate to reconnections, not just disconnections. Reason Code 0 — “No additional information is available” — is the most useful piece of information in this case. (Happens when a user abruptly Xs out of a session; frequently used in conjunction with Event ID 24)
RDP Session Disconnect (Purposeful Disconnect via start > Disconnect)
Event ID 39: This refers that a user, as opposed to merely X’ing out of the RDP window, has formally disconnected from an RDP session via purposeful Disconnect (for example, via the Windows Start Menu Disconnect option). A separate RDP session may have disconnected (i.e. kicked off) the specified user in situations where the Session IDs of X and Y are different.
Event ID 40: Although “Session has been disconnected” is always the description, these events also indicate or relate to reconnections, not just disconnections. The Reason Code, 0, “No additional information is available,” is the most useful piece of information in this case. (Happens when a user Xs out of a session indiscriminately; frequently used in conjunction with Event ID 24)
Event ID 4779: This occurs when a user disconnects from an RDP session. Typically paired with Event ID 24 and likely Event IDs 39 and 40. The SessionName, ClientAddress, and LogonID can all be useful for identifying the source and associated activity.
Event ID 4634: These occur whenever a user simply disconnects from an RDP session or formally logs off (via Windows Start Menu Logoff). It may be positively correlated with a logon event using the Logon ID i.e. Logon Type 10
RDP Session Reconnect
Event ID 4624 refers to the user successfully logged on to the system.
Logon type 7 reconnection to the machine through RDP (occurs when a user unlocks (or attempts to unlock) a previously locked workstation.)
Event ID 25: When the “Source Network Address” contains a remote IP address, the user has reconnected to an RDP session. A local session reconnection and NOT a remote RDP session reconnection are both indicated by a “Source Network Address” of “LOCAL”. Take note of the “Source Network Address” for the RDP connection’s origin. This is frequently used in conjunction with Event ID 40. When tracking or connecting additional Event Log activity to this user’s RDP session, take note of the SessionID.
Event ID 40: Although the description is always “Session has been disconnected”, these events also indicate/correlate to reconnections, not just disconnections. The most helpful information here is the Reason Code, 5 — “The client’s connection was replaced by another connection.” (Occurs when a user reconnects to an RDP session, typically paired with an Event ID 25)
Event ID 4778:Occurs when a user reconnects to an existing RDP session. Typically paired with Event ID 25. The SessionName, ClientAddress, and LogonID can all be useful for identifying the source and associated activity.
RDP Session Logoff
Event ID 23: The user has initiated a logoff. This is typically paired with an Event ID 4634 (logoff). Take note of the SessionID as a means of tracking/associating additional Event Log activity with this user’s RDP session. This event will also be generated upon a system shutdown/reboot.
Event ID 4634: These occur whenever a user simply disconnects from an RDP session or formally logs off (via Windows Start Menu Logoff). It may be positively correlated with a logon event using the Logon ID i.e. Logon Type 10, Logon Type 7 for reconnect.
Event ID 4647: These are not necessarily RDP-specific and happen whenever a user initiates a formal system logoff. As there is no associated LogonType to specify which it is, you will need to use reasoning and temporal analysis to determine whether or not it is connected to a system logoff via an RDP session or is from a local interactive session.
Event ID 9009: This event id occurs when a user formally closes an RDP connection and indicates the RDP desktop GUI has been shut down as a result. This is useful to identify a closed/finalized RDP connection.
Logon Type
Failed Logon Status
References: