Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| ETW - Remote Desktop - Destination host | Page | Destination host of a Remote Desktop access. Main events: Channel: Security. Event ID 4624: "An account was successfully logged on", with LogonType 10. Channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event ID 1149: "Remote Desktop Services: User authentication succeeded". Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Event ID 21: "Remote Desktop Services: Session logon succeeded". Event ID 23: "Remote Desktop Services: Session logoff succeeded". Event ID 25: "Remote Desktop Services: Session reconnection succeeded". |
Channels: Security. Event: 4624 (LogonType 10). Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational. Event: 1149. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. Events: 21, 22, 23, 25. Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational. Events: 131. |
| ETW - Remote Desktop - Remote Desktop Gateway | Page | For Remote Desktop access through a Remote Desktop Gateway (Windows server role that implements Remote Desktop Protocol (RDP) over HTTPS. Main events: Channel: Microsoft-Windows-TerminalServices-Gateway/Operational. Event ID 200: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> met resource authorization policy [...] to access the TS Gateway server". Event ID 302: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> connected to <REMOTE_HOST_FQDN>". Event 303: "<DOMAIN>\<USERNAME> on client computer <SOURCE_IP> disconnected from <REMOTE_HOST_FQDN>. Before <DOMAIN>\<USERNAME> disconnected, the client transferred <BYTES_SENT> bytes and received <BYRES_RECEIVED> bytes. The client session duration was <SESSION_DURATION> seconds". |
Channels: Microsoft-Windows-TerminalServices-Gateway/Operational. Events: 200, 300, 302, 303, 308, 312, 313. |
| RDP - Processes | Page | The following processes are related to RDP activity: - mstsc.exe: Windows built-in RDP. The remote host may (but not necessarily) specified using the command-line parameter "/v:". - rdpclip.exe: RDP Clipboard Monitor, executed on the remote host every time a remote interactive RDP session is successfully established. - TSTheme.exe: TSTheme Server Module, starting with Windows 7, executed on the remote host every time a remote interactive RDP session is successfully established and upon session closure. |
View on GitHub