It is becoming more and more common for bad actors to manipulate or clear the security event logs on compromised machines, and sometimes RDP sessions don’t even register as just a type 10 logon, depending on the circumstance. RDP activities will leave events in several different logs as action is taken and various processes are involved.
RDP Event IDs , Description and Event specifications:
| Event IDs | Description | Event Location | Event specifications | Win 10 | Win 8.1 | Win 7 | Win 2008 | Win 2012 | Win 2016 |
| 21 | Remote Desktop Services: Session Logon Succeeded | Microsoft-Windows- TerminalServices-LocalSesssionManager %4Operational.evtx | Logon | Yes | Yes | Yes | Yes | Yes | Yes |
| 22 | Remote Desktop Services: Shell start notification received | Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtx | Logon | Yes | Yes | Yes | Yes | Yes | Yes |
| 23 | Remote Desktop Services: Session Logoff Succeeded | Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtx | Process termination | Yes | Yes | Yes | Yes | Yes | Yes |
| 24 | Remote Desktop Services: Session has been disconnected | Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtx | Terminal Service – Local Session | Yes | Yes | Yes | Yes | Yes | Yes |
| 25 | Remote Desktop Services: Session Reconnection Succeeded | Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtx | Terminal Service – Local Session | Yes | Yes | Yes | Yes | Yes | Yes |
| 39 | Session <X> has been disconnected by session <Y> | Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtx | Session Disconnect or Reconnect | Yes | Yes | Yes | Yes | Yes | Yes |
| 40 | Session <x> has been disconnected reason code <z> | Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtx | Session Disconnect or Reconnect | Yes | Yes | Yes | Yes | Yes | Yes |
| 98 | A TCP Connection has been successfully established | Application and Services Logs \ Microsoft \ Windows \ RemoteDesktopServices-RDPCoreTS \Operational | – | Yes | – | – | – | – | Yes |
| 131 | The server accepted a new TCP connection from client <ipAddress> | Application and Services Logs \ Microsoft \ Windows \ RemoteDesktopServices-RDPCoreTS \Operational | – | Yes | – | – | – | Yes | Yes |
| 140 | Connection failed; bad username or password | Application and Services Logs \ Microsoft \ Windows \ RemoteDesktopServices-RDPCoreTS \Operational | – | Yes | – | – | – | Yes | Yes |
| 226 | RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005) | Microsoft-Windows-TerminalServices-RDPClient/Operational | RDP State Transition | Yes | – | – | – | – | – |
| 261 | Listener RDP-Tcp received a connection | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-RemoteConnectionManager\ Operational | Terminal Service – Remote Connection | Yes | – | Yes | – | Yes | – |
| 1024 | The Client has initiated a multi-transport connection to the server () | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | – | Yes | – | Yes | – |
| 1025 | RDP ClientActiveX has connected to the server. | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | – | Yes | – | Yes | – |
| 1026 | RDP ClientActiveX has been disconnected (Reason= <no.>) | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | – | Yes | – | Yes | – |
| 1027 | Connected to domain (SERVER-xx) with session <X> | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | – | – | – | – | – |
| 1028 | The server supports SSL = supported | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | – | Yes | – | Yes | – |
| 1029 | Base64(SHA256(UserName)) is = [BASE64 Encoded SHA256 Hash Value of User Name] | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | – | Yes | – | Yes | – |
| 1102 | The Client has initiated a multi-transport connection to the server <ipAddress> | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | Yes | Yes | Yes | Yes | Yes |
| 1103 | The client has established a multi-transport connection to the server | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\T erminalServices-RDPClient\Operational | Connection Sequence | Yes | – | – | – | – | – |
| 1105 | The multi-transport connection has been disconnected. | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | Connection Sequence | Yes | Yes | Yes | Yes | Yes | Yes |
| 1149 | User Authentication Succeeded | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-RemoteConnectionManager\ Operational | Network Connection | Yes | Yes | Yes | Yes | Yes | Yes |
| 1158 | Remote Desktop Services accepted a connection from IP address <ipAddress> | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-RemoteConnectionManager\ Operational | Terminal Service – Remote Connection | Yes | – | – | – | – | – |
| 1401 | The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1) | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | RDP Client Pipeline workspace | Yes | – | – | – | – | – |
| 1403 | The client is using software memory for the frame buffer | Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\ TerminalServices-RDPClient\Operational | RDP Client Pipeline workspace | Yes | – | – | – | – | – |
| 4624 | An account was Successfully Logged On | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Authentication | Yes | Yes | Yes | Yes | Yes | Yes |
| 4625 | An Account Failed to Logon | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Authentication | Yes | Yes | Yes | Yes | Yes | Yes |
| 4634 | An Account was Logged Off | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Logoff | Yes | Yes | Yes | Yes | Yes | Yes |
| 4647 | User Initiated Logoff | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Logoff | Yes | Yes | Yes | Yes | Yes | Yes |
| 4648 | A logon was attempted using Explicit Credentials | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Logon | Yes | Yes | Yes | Yes | Yes | Yes |
| 4656 | A handle to an object was requested | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | File System | Yes | Yes | Yes | Yes | Yes | Yes |
| 4658 | The handle to an object was closed | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | File System | Yes | Yes | Yes | Yes | Yes | Yes |
| 4663 | An Attempt was made to access an object | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | File System | Yes | Yes | Yes | Yes | Yes | Yes |
| 4688 | A new process has been created | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Process Creation | Yes | Yes | Yes | Yes | Yes | Yes |
| 4689 | A process has exited | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Process termination | Yes | Yes | Yes | Yes | Yes | Yes |
| 4778 | A Session was Reconnected from a Window Station | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Other Logon/ Logoff | Yes | Yes | Yes | Yes | Yes | Yes |
| 4779 | A Session was Disconnected from a Window Station | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Other Logon/ Logoff | Yes | Yes | Yes | Yes | Yes | Yes |
| 5058 | Key File Operation | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Other System Events | Yes | Yes | Yes | Yes | Yes | Yes |
| 5059 | Key Migration Operation | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Other System Events | Yes | Yes | Yes | Yes | Yes | Yes |
| 5061 | Cryptographic Operation | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | System Integrity | Yes | Yes | Yes | Yes | Yes | Yes |
| 5156 | The Windows Filtering Platform has allowed a connection | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Filtering Platform connection | Yes | Yes | Yes | Yes | Yes | Yes |
| 5158 | The Windows Filtering Platform has permitted a bind to a local port | %SystemRoot%\System32\ Winevt\Logs\Security.evtx | Filtering Platform connection | Yes | Yes | Yes | Yes | Yes | Yes |
| 9009 | The Desktop Window Manager has exited with code(<X>) | %SystemRoot%\System32\ Winevt\Logs\System.evtx | Desktop Windows Manager | Yes | Yes | Yes | Yes | Yes | Yes |
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
Event IDs with Reason Code :
Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST
| Code | Description |
| 0 | No additional information is available |
| 1 | An application initiated the disconnection |
| 2 | An application logged off the client |
| 3 | The server has disconnected the client because the client has been idle for a period of time longer than the designated time-out period |
| 4 | The server has disconnected the client because the client has exceeded the period designated for connection |
| 5 | The client’s connection was replaced by another connection |
| 6 | No memory is available |
| 7 | The server denied the connection |
| 8 | The server denied the connection for security reasons |
| 9 | The server denied the connection for security reasons |
| 10 | Fresh credentials are required |
| 11 | User activity has initiated the disconnect |
| 12 | “The user logged off, disconnecting the session.” |
| 256 | Internal licensing error |
| 257 | No license server was available |
| 258 | No valid software license was available |
| 259 | The remote computer received a licensing message that was not valid |
| 260 | The hardware ID does not match the one designated on the software license |
| 261 | Client license error |
| 262 | Network problems occurred during the licensing protocol. |
| 263 | The client ended the licensing protocol prematurely. |
| 264 | A licensing message was encrypted incorrectly. |
| 265 | The local computer’s client access license could not be upgraded or renewed. |
| 266 | The remote computer is not licensed to accept remote connections. |
| 267 | An access denied error was received while creating a registry key for the license store. |
| 768 | Invalid credentials were encountered. |
For RDP Success refer the Event ID 4624 Logon Type from the below table to identify the Logon Service/Mode
Event ID 4624 – An account logon type
| Logon Type | Logon Title | Description |
| 2 | Interactive | A user logged on to this computer |
| 3 | Network | A user or computer logged on to this computer from the network |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention |
| 5 | Service | A service was started by the Service Control Manager |
| 7 | Unlock | This workstation was unlocked |
| 8 | Network Cleartext | A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unlashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext) |
| 9 | New Credentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections |
| 10 | Remote Interactive | A user logged on to this computer remotely using Terminal Services or Remote Desktop |
| 11 | Cached Interactive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials |
For RDP Failure refer the Event ID 4625 Status Code from the below table to determine the Logon Failure reason
Event ID 4625 – Status Code for an account to get failed during logon process
| Status\Sub-Status Code | Description |
| 0XC000005E | There are currently no logon servers available to service the logon request |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | The cause is either a bad username or authentication information |
| 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions) |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (also called the logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed |
| 0XC0000192 | An attempt was made to logon, but the Net Logon service was not started |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine |
| 0x0 | Status OK |
Also Read: How DNS Tunneling works – Detection & Response
References
- https://www.13cubed.com/downloads/rdp_flowchart.pdf
- https://ponderthebits.com/category/remote-desktop/
- https://community.spiceworks.com/topic/764914-remote-desktop-services-disconnect-code?page=1#entry-5456587
- https://frsecure.com/blog/rdp-connection-event-logs/
- https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
- http://woshub.com/rdp-connection-logs-forensics-windows/
- https://docs.rackspace.com/support/how-to/rds-client-disconnected-codes-and-reasons/
- https://jpcertcc.github.io/ToolAnalysisResultSheet/
- https://nullsec.us/windows-rdp-related-event-logs-the-client-side-of-the-story/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
- https://tranquilsec.com/rdp-vs-soc/