This note documents detection patterns related to RDP Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Critical | Logon Type 10 = RDP (RemoteInteractive) |
| Security | 4625 | Failed logon | Critical | Brute-force attempts |
| Security | 4634 | Logoff | High | Session termination |
| Security | 4648 | Explicit credentials | High | Often used before lateral movement |
| Security | 4672 | Special privileges assigned | High | Admin-level session |
| Security | 4778 | Session reconnected | High | Existing session resumed |
| Security | 4779 | Session disconnected | High | Session closed |
| Security | 4688 | Process creation | Critical | Post-RDP execution |
| Sysmon | 1 | Process creation | Critical | mstsc.exe or attacker tooling |
| TerminalServices-LocalSessionManager | 21 | Session logon | Critical | RDP session established |
| TerminalServices-LocalSessionManager | 24 | Session disconnected | Critical | |
| TerminalServices-LocalSessionManager | 25 | Session reconnected | Critical | |
| TerminalServices-RemoteConnectionManager | 1149 | RDP authentication succeeded | Critical | VERY important pre-session indicator |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Logon Type 10 from rare source | New host/IP | Critical | Strong anomaly |
| Multiple 4625 → 4624 | Brute-force success | Critical | |
| Admin account via RDP | Privileged login | Critical | |
| RDP followed by tooling | cmd, powershell | Critical | Operator activity |
| Night login | Time anomaly | High | |
| Workstation → workstation | Lateral movement | High | |
| External IP RDP | Internet exposure | Critical | Very high risk |
| Short-lived sessions | Rapid connect/disconnect | Medium | Recon or failed ops |
Common Tools
| Tool | Usage |
|---|---|
| mstsc.exe | Native client |
| xfreerdp | Linux client |
| SharpRDP | Offensive automation |
| PowerShell | Enable/modify RDP |
| reg.exe | Registry changes |
| net.exe | User/group manipulation |
| nmap | RDP enumeration (3389) |
| Hydra | RDP brute-force |
Relevant Artifacts
Event Logs
- Security: 4624, 4625, 4634, 4648, 4672, 4688, 4778, 4779
- TerminalServices:
- LocalSessionManager (21, 24, 25)
- RemoteConnectionManager (1149)
File System
- Prefetch:
MSTSC.EXE - Recent files / JumpLists
- User profile artifacts (NTUSER.DAT)
Registry
HKLM\SYSTEM\CurrentControlSet\Control\Terminal ServerHKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpfDenyTSConnections(0 = enabled)
Network
- Port: TCP 3389
- Firewall rule changes
- Netflow / PCAP traces
Memory / EDR
- Session lineage
- Parent-child process chains
- Remote thread injections (post-login activity)
MITRE ATT&CK References
- T1021.001 Remote Desktop Protocol
- T1078 Valid Accounts
- T1110 Brute Force
- T1059 Command Execution
Decision Tree
-
Was RDP session established?
- 4624 (Type 10)
- Event 1149
- Session logs
-
Source expected?
- Admin host?
- External IP?
- Rare workstation?
-
Account sensitive?
- Admin
- Service account
- Dormant user
-
Post-login activity?
- Shell spawn
- Registry edits
- Service creation
-
Expand scope
- Failed attempts
- Lateral movement
- Other hosts
-
Timeline correlation
- Logon → Process → Persistence
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4624 and LogonType == 10
| project TimeGenerated, Computer, Account, IpAddress
SecurityEvent
| where EventID == 4625 and LogonType == 10
| summarize count() by IpAddress, Account
SecurityEvent
| where EventID == 1149
EQL
authentication where event.code == "4624" and winlog.logon.type == "10"
sequence by host.name with maxspan=5m
[ authentication where event.code == "4624" ]
[ process where process.name in ("cmd.exe","powershell.exe","reg.exe") ]
Sigma
title: Suspicious RDP Logon
id: rdp-4624-detect
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
condition: selection
level: high
Network Detection (Snort)
alert tcp any any -> any 3389 (msg:"RDP Connection Attempt"; flow:to_server,established; sid:1000001; rev:1;)
alert tcp any any -> any 3389 (msg:"Possible RDP Brute Force"; threshold:type both, track by_src, count 5, seconds 60; sid:1000002; rev:1;)
Mitigation & Hardening
| Control | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Restrict RDP | Limit access | Critical | |
| MFA | Enforce MFA | Critical | |
| Disable external RDP | VPN only | Critical | |
| Account lockout | Prevent brute force | High | |
| Monitor logs | Alert on anomalies | Critical | |
| Admin segmentation | Jump hosts | High | |
| NLA enforcement | Pre-auth protection | High |
Key Insight
RDP abuse is rarely just a login event — it is a chain: Authentication → Session → Execution → Persistence
Always correlate across:
- Logs
- Network
- File system
- Process activity