detection.wiki

Microsoft-Windows-TerminalServices-LocalSessionManager › Event 25

Event ID 25 — Remote Desktop Services: Session reconnection succeeded.

Provider
Microsoft-Windows-TerminalServices-LocalSessionManager
Channel
Operational
Level
Informational
Collection Priority
Recommended (Yamato Security, others)

Description

Remote Desktop Services: Session reconnection succeeded.

Message #

Remote Desktop Services: Session reconnection succeeded:

User: %1
Session ID: %2
Source Network Address: %3

Fields #

NameDescription
EventXML.User
EventXML.SessionID
EventXML.Address

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 25,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2024-11-22T22:48:31.312554+00:00",
    "event_record_id": 2323,
    "correlation": {
      "ActivityID": "F4209548-02F6-4100-AC4D-324EFFDE0000"
    },
    "execution": {
      "process_id": 896,
      "thread_id": 4048
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "EC2AMAZ-3NFFVNI",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "EC2AMAZ-3NFFVNI\\samurai",
      "SessionID": 4,
      "Address": "198.51.100.2"
    }
  },
  "message": "Remote Desktop Services: Session reconnection succeeded:\n\nUser: EC2AMAZ-3NFFVNI\\samurai\nSession ID: 4\nSource Network Address: 198.51.100.2"
}

References #