RDP Logon Detection in Event Logs

When looking at event logs, what should we watch out for to spot Remote Desktop Protocol logins?

Intermediate

Cyber Security

When monitoring event logs for Remote Desktop Protocol (RDP) logins on a Windows system, several specific Event IDs and patterns should be examined. RDP-related events are recorded in the Security Log, and by paying attention to certain events, security administrators can detect and investigate remote desktop logon activities. Here are key Event IDs and indicators to watch out for:

Event ID 4624 - Successful Logon:

Description: Generated when a user successfully logs on.

Fields to Check:

Logon Type: RDP logins typically have Logon Type set to 10.
Security ID: Identifies the user.
Logon Process: Should be set to “NtLmSsp” for RDP logons.
Example Query:

EventID=4624 AND LogonType=10 AND LogonProcessName="NtLmSsp"

Event ID 4625 - Failed Logon:

Description: Generated when a user fails to log on.

Fields to Check:

Logon Type: RDP logon attempts may have Logon Type set to 10.
Security ID: Identifies the user.
Logon Process: Should be set to “NtLmSsp” for RDP logon attempts.
Example Query:

EventID=4625 AND LogonType=10 AND LogonProcessName="NtLmSsp"

Event ID 4778 - Session Reconnected to WinStation:

Description: Generated when a disconnected session is reconnected.

Fields to Check:

Security ID: Identifies the user.
Logon Type: Should be set to 10 for RDP reconnections.
Logon Process: Should be set to “NtLmSsp.”
Example Query:

EventID=4778 AND LogonType=10 AND LogonProcessName="NtLmSsp"

Event ID 4779 - Session Disconnected from WinStation:

Description: Generated when a session is disconnected.

Fields to Check:

Security ID: Identifies the user.
Logon Type: Should be set to 10 for RDP disconnections.
Logon Process: Should be set to “NtLmSsp.”
Example Query:

EventID=4779 AND LogonType=10 AND LogonProcessName="NtLmSsp"

Event ID 4776 - Credential Validation:

Description: Generated when a user’s credentials are validated.

Fields to Check:

Security ID: Identifies the user.
Logon Process: Should be set to “NtLmSsp” for RDP credential validation.
Example Query:

EventID=4776 AND LogonProcessName="NtLmSsp"

Event ID 9003 - RDP Licensing:

Description: Generated when a Remote Desktop licensing server is activated or a licensing error occurs.

Fields to Check:

Log Name: Look for entries in the “Microsoft-Windows-TerminalServices-Licensing/Operational” log.
Example Query:

EventID=9003

Additional Considerations:

Filter by Source IP: If available, consider filtering events based on the source IP address to identify remote logons from specific locations.
Regular Patterns: Look for regular patterns in logon times, especially during non-business hours, which could indicate suspicious activity.
Anomaly Detection: Implement anomaly detection to identify deviations from normal user behavior, helping in the detection of potential unauthorized access.
Correlation with Other Events: Correlate RDP logon events with other security-related events, such as account management events or changes in system configuration.

Log Analysis Tools:

Using log analysis tools, Security Information and Event Management (SIEM) solutions, or custom scripts can significantly aid in monitoring and analyzing these events efficiently. These tools can help automate log analysis, alerting, and reporting for RDP logon activities, making it easier for security administrators to identify and respond to potential threats.