Event ID 4825 — A user was denied the access to Remote Desktop.
Description
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.
Message #
Fields #
| Name | Description |
|---|---|
User_Name | [Subject] User Name. |
Domain | [Subject] Domain. |
Logon_ID | [Subject] Logon ID. |
Client_Address | [Additional Information] Client Address. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4825,
"version": 0,
"level": 0,
"task": 12551,
"opcode": 0,
"keywords": 9227875636482146304,
"time_created": "2020-07-12T05:27:05.579704Z",
"event_record_id": 1231498,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 992
},
"channel": "Security",
"computer": "fs02.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"AccountName": "svc6test1",
"AccountDomain": "OFFSEC",
"LogonID": "0x3457272",
"ClientAddress": "10.23.23.9"
}
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Denied Access To Remote Desktop source medium: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
References #
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx