Terminal Services / RDP Event Logs

Location

Description

Remote Desktop Services event logs capturing RDP session lifecycle events. Event 1149 records successful network-level authentication with source IP and username. Events 21/22/23/24/25 track session logon, reconnect, and disconnect states.

Forensic Value

RDP is the most common lateral movement mechanism in enterprise breaches. Event 1149 provides the remote IP address of every successful RDP authentication, directly proving which machine an attacker pivoted from. Session disconnect and reconnect events reconstruct the duration of attacker interactive access on each host. Correlating these with Security 4624 Type 10 events validates the complete lateral movement chain.

Tools Required

Collection Commands

kape.exe --tsource C: --tdest C:\output --target EventLogs

EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" --csv C:\output --csvf RDP_LocalSession.csv

Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Where-Object {$_.Id -eq 1149} | Export-Csv C:\output\rdp_auth.csv

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References