This event, logged to the Security channel, is logged when an existing RDP terminal session is connected to, but it may also be logged as a result of Fast User Switching. Fast User Switching is a feature in newer versions of Windows (Vista+) that allows multiple users to be logged in to a single system concurrently.
This event is particularly important for a forensic analysis because, for RDP activity, it is logged on the destination endpoint and provides information about the source of the RDP activity.
682
.
- Behavioral - Lateral Movement (TA0008)
- Account - Login History
- Account - Logon ID
- Network Activity - Source Identification
- Windows 11
- Windows 10
- Windows 8
- Windows 7
- Windows Vista
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
%SystemRoot%\System32\Winevt\Logs\Security.evtx
This artifact can provide the source client name and IP address of the connecting endpoint.
The fields may be interpreted as follows:
Field Name | Interpretation |
---|---|
Subject / Account Name | The name of the account for this RDP session |
Subject / Logon ID | Logon ID for this session that can be used to correlate with other events |
Additional Information / Client Name | The name of the source host |
Additional Information / Client Address | The IP address of the source host |
This event is not unique to RDP sessions. During Fast User Switching events, this event will be logged with the session name set to Console
and the Client Address set to LOCAL
. For RDP sessions, the session name will look like: RDP-Tcp#1
.