Event ID 1149 — Remote Desktop Services: User authentication succeeded.

Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Channel: Operational
Level: Informational

Description

Remote Desktop Services: User authentication succeeded.

Message #

Remote Desktop Services: User authentication succeeded:

User: %1
Domain: %2
Source Network Address: %3

Fields #

Name	Description
`EventXML.xmlns:auto-ns2`	—
`EventXML.Param1`	—
`EventXML.Param2`	—
`EventXML.Param3`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
    "guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
    "event_source_name": "",
    "event_id": 1149,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2019-02-13T18:04:57.452387+00:00",
    "event_record_id": 228,
    "correlation": {},
    "execution": {
      "process_id": 1280,
      "thread_id": 2748
    },
    "channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
    "computer": "PC01.example.corp",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "user_data": {
    "EventXML": {
      "xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
      "Param1": "admin01",
      "Param2": "example",
      "Param3": "127.0.0.1"
    }
  },
  "message": "Remote Desktop Services: User authentication succeeded:\n\nUser: http://schemas.microsoft.com/win/2004/08/events\nDomain: admin01\nSource Network Address: example"
}

Community Notes #

RDP user auth succeeded, combine with 4624 (successful logon)/4625 (logoff) to track lateral movement.

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

Windows RDP Connection Successful source: The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx