Channel:

Microsoft-WindowsTerminalServicesRDPClient/Operational.
Events: 1024, 1029, 1102.

Overview

Channel Conditions Events
Microsoft-WindowsTerminalServicesRDPClient/Operational Default configuration. Event 1024: RDP ClientActiveX is trying to connect to the server (<HOSTNAME>).
Microsoft-WindowsTerminalServicesRDPClient/Operational Default configuration. Event 1102: The client has initiated a multi-transport connection to the server <IP>.
Microsoft-WindowsTerminalServicesRDPClient/Operational Default configuration. Event 1029: Base64(SHA256(UserName)) is = <HASH>.

This CyberChef formula can be used to compute the hash.

For each event of the Microsoft-WindowsTerminalServicesRDPClient/Operational channel, the domain and SID of the user initiating the Remote Desktop is logged.

Tags: windows_etw windows_lateral_movement windows_lateral_movement_src windows_remote_desktop windows_remote_desktop_src

View on GitHub