Channels:

Security
Event: 4624 (LogonType 10).

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Event: 1149.

Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Events: 21, 22, 23, 24, 25.

Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Event: 1158.

Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
Event: 131.

Overview

Channel Conditions Events
Security Default configuration.

Also logged for other logon types (Network, Console, Batch, Service, …).		 Event 4624: An account was successfully logged on, with LogonType 10.
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Default configuration. Event 1149: Remote Desktop Services: User authentication succeeded.

Access to the Windows login screen, not necessarily a successful session opening. This event is however only generated upon successful authentication if Network Level Authentication (NLA) is required.
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Default configuration. Event 21: Remote Desktop Services: Session logon succeeded.

Information of interest: user logging in, source network address, and RDP session ID.
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Default configuration. Event 22: Remote Desktop Services: Shell start notification received.

Information of interest: user logging in, source network address, and RDP session ID.
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Default configuration. Event 23: Remote Desktop Services: Session logoff succeeded.

Information of interest: user logging in and RDP session ID.
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Default configuration. Event 24: Remote Desktop Services: Session has been disconnected.

If no event 23 (session logoff succeeded) is associated with this event, the session was simply “disconnected”. In case of a session disconnect (triggered by closing the RDP client window or using the “Disconnect” sign-out option), running processes and opened windows are preserved.

Information of interest: user logging in, source network address, and RDP session ID.
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Default configuration. Event 25: Remote Desktop Services: Session reconnection succeeded.

Logged upon reconnection of a disconnected session. Could indicate that a malicious actor got access to running processes / programs state started legitimately by a user.

Information of interest: user logging in, source network address, and RDP session ID.

Events with a source network address set to LOCAL can sometimes be generated for console, non Remote Desktop logins.
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Introduced in Windows Server 2012.

Default configuration.		 Event 131: The server accepted a new TCP connection from client <IP>.

Only indicates a network access to the Remote Desktop service.

Information of interest: source network address.
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin Default configuration. Event 1158: Remote Desktop Services accepted a connection from IP address <IP>.

Only indicates a network access to the Remote Desktop service.

Information of interest: source network address.

ngrok tunnel - 16777216

A Source Network Address of ::%16777216 in the Microsoft-Windows-TerminalServices-LocalSessionManager and Microsoft-Windows-TerminalServices-RemoteConnectionManager events could indicate that a ngrok tunnel was used to make Remote Desktop access.

Tool(s)

The LogParser’s KAPE module LogParser_RDPUsageEvents can be used to parse EVTX files and extract the aforementioned Remote Desktop events into a CSV timeline.

References

Tags: windows_etw windows_lateral_movement windows_lateral_movement_dst windows_remote_desktop windows_remote_desktop_dst

View on GitHub