Event ID 21 — Remote Desktop Services: Session logon succeeded.
Description
Remote Desktop Services: Session logon succeeded.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.User | — |
EventXML.SessionID | — |
EventXML.Address | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 21,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2023-11-05T22:32:20.885688+00:00",
"event_record_id": 128,
"correlation": {
"ActivityID": "61A55000-55E5-1017-0000-000000000000"
},
"execution": {
"process_id": 484,
"thread_id": 704
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "WINDEV2310EVAL\\User",
"SessionID": 1,
"Address": "LOCAL"
}
},
"message": ""
}
Community Notes #
Remote desktop services shell start. Occurs when a user successfully establishes a session and the shell starts, confirming a successful interactive logon.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Ngrok Usage with Remote Desktop Service source high: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour