Windows RDP Login Session Was Established

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only provided valid credentials but has also initiated a full interactive RDP session. It is a key indicator of successful remote access to a Windows system. When correlated with Event ID 1149, which logs RDP authentication success, this analytic helps distinguish between mere credential acceptance and actual session establishment—critical for effective monitoring and threat detection.

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1021.001` Remote Services: Remote Desktop Protocol

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.

Stages and Predicates

Stage 1: `search`

search EventCode=4624 Logon_Type=10

Stage 2: `stats`

stats BY action, app, authentication_method, dest, dvc, process, process_id, process_name, process_path, signature, signature_id, src, src_port, status, subject, user, user_group, vendor_product, Logon_Type

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`4624` corpus 6 (splunk 6)
`Logon_Type`	eq	`10` corpus 4 (sigma 3, splunk 1)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Potential Account Takeover - Mixed Logon Types [elastic] (cross-vendor) (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)
Potential Account Takeover - Logon from New Source IP [elastic] (cross-vendor) (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)
External Remote RDP Logon from Public IP [sigma] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)