Windows Event Logs: The RDP Investigator’s Best Friend
When attackers use RDP, they inevitably trip over Windows Event Logs — leaving footprints that a savvy investigator can find. The two main places to check are the
Security log and the
RDP-related logs under Terminal Services. Let’s break down the key evidence in these logs:
- Successful Logons (Event ID 4624) — A successful RDP logon shows up as Event 4624 in the Security log. But here’s a twist: if Network Level Authentication (NLA) is enabled (and it usually is these days), you might not see the expected “Logon Type 10” (RemoteInteractive) right away. Instead, the first logon event often appears as Logon Type 3 (Network) due to NLA’s pre-authentication, followed by a Type 10 once the desktop session actually starts. In other words, NLA makes an RDP logon look like a network logon at first. Don’t let that fool you — a type 3 from a random IP and a subsequent type 10 means someone just RDP’d in. (Fun fact: reconnecting to an existing RDP session can even show up as Type 7, “workstation unlocked,” if the session was just locked. Context is everything!)
- Failed Logons (Event ID 4625) — Attackers often brute-force RDP credentials. Failed attempts appear as Event 4625. Similar NLA caveat: with NLA on, RDP failure audits often log as Type 3 (network) failures. Without NLA, you’d expect Type 10 for RDP failures. So if you see a bunch of 4625s Type 3, it might be someone hammering away at RDP logins (with NLA gating them before the GUI even shows). Check the Status codes — repetitive “username not found” or “bad password” codes are a sign of brute-force tools at play.
- Network Connection Events — Before a logon, there’s the network handshake. In the TerminalServices-RemoteConnectionManager log, Event ID 1149 “User authentication succeeded” is logged when an RDP network connection is made. Despite the wording, 1149 doesn’t mean a user actually logged on interactively — it just means someone successfully connected to the RDP service and reached the login screen. Repeat after me: 1149 is not a full login, just a connection. Still, it’s a great indicator that someone at IP X tried to start an RDP session on Machine Y at time Z.
- Session Start/End Events — The TerminalServices-LocalSessionManager log on the target records events like session connect/disconnect and logon time. For example, Event 21 (Remote Desktop Services: Session logon succeeded) and Event 24 (Session logoff) can tell you when an RDP session started and ended. If an attacker connects and quickly disconnects, these logs spill the timing. Coupled with Security logon events, you get the full picture of who, when, and from where.
Suricata for Beginners: Your First Step into Network Threat Detection (Linux, Windows, macOS)!
How to Protect Your Windows NTLM Credentials from Zero Day Threats
Why it’s time to take warnings about using public Wi-Fi, in places like airports, seriously