This article is going to cover the other side of Windows RDP-Related Event Logs: Identification, Tracking, and Investigation and RDP Event Log Forensics. Both of these document the events that occur when viewing logs from the server side. This documents the events that occur on the client end of the connection. I've followed the same actions as followed in the material above (logon, logoff, etc.), though my layout will be a bit different.

I've chosen to include all related events, even those that may not have the most useful information in their description. I did this to allow people to look for the full chain of events as an IOC. You may notice that some events will repeat a number of times. The event chains in here should be in chronological order with newest at the bottom (top down)

The lab contained two Windows 10 VMs with default logging (fresh, nearly unaltered images). I would highly suggest testing and verifying the results in your own environment, as logging may be different, various versions of Windows may present different logs, domain joined machines may show additional information, or I may have just screwed something up.

You can read about my methodology here: https://nullsec.us/finding-event-logs-caused-by-an-action/

If you don't like my formatting, just want to verify anything, or want some extra data, you can download the original data here: https://drive.google.com/open?id=1UV0HBw76zfwGoqW8YlqUSEWsf4dafPq_. I've included in this data the output of sysmon events as well, which isn't covered here.

Lastly, I appologize, but I don't go into nearly as much detail as the Ponder The Bit's article above in explaining what these events mean (e.g. his notes on Event ID: 1149). For my use case, I care more about finding the pattern of events that give me an overall picture of what the user did, rather than exactly what each event log means. I think the differences in my layout reflect this, and I hope people still find this useful.

Edit: For more on the hash in Event ID 1029 hashes, go here: https://nullsec.us/windows-event-id-1029-hashes/

Glossary:

Desktop: DESKTOP-35JV6J4 (where I'm connecting from)

DESKTOP-35JV6J4 (where I'm connecting from) Desktop IP: 192.168.59.129

192.168.59.129 Desktop User: User

User Server: Server-01 (where I'm connecting to)

Server-01 (where I'm connecting to) Server IP: 192.168.1.179

192.168.1.179 Server User: ServerUser01

Table Of Contents:

Repeated for Terse and Verbose, ctrl+f to get to your favorite section

RDP Successful Logon [Logon] RDP Unsuccessful Logon (bad password) [FailLogon] RDP Session Disconnect (close window) [Close] RDP Session Disconnect (start -> disconnect) [Disconnect] RDP Session Reconnect [Reconnect] RDP Session Logoff [Logoff]

Terse/Summary

1) RDP Successful Logon [Logon]

1024 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX is trying to connect to the server (192.168.1.179)

1028 Microsoft-Windows-TerminalServices-RDPClient/Operational Server supports SSL = supported

1029 Microsoft-Windows-TerminalServices-RDPClient/Operational Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

4648 Security A logon was attempted using explicit credentials.

226 Microsoft-Windows-TerminalServices-RDPClient/Operational RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

1105 Microsoft-Windows-TerminalServices-RDPClient/Operational The multi-transport connection has been disconnected.

1026 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX has been disconnected (Reason= 263)

1028 Microsoft-Windows-TerminalServices-RDPClient/Operational Server supports SSL = supported

1029 Microsoft-Windows-TerminalServices-RDPClient/Operational Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

4648 Security A logon was attempted using explicit credentials.

1102 Microsoft-Windows-TerminalServices-RDPClient/Operational The client has initiated a multi-transport connection to the server 192.168.1.179.

1103 Microsoft-Windows-TerminalServices-RDPClient/Operational The client has established a multi-transport connection to the server.

1025 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX has connected to the server

1403 Microsoft-Windows-TerminalServices-RDPClient/Operational The client is using software memory for the frame buffer.

1401 Microsoft-Windows-TerminalServices-RDPClient/Operational The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).

1027 Microsoft-Windows-TerminalServices-RDPClient/Operational Connected to domain (SERVER-01) with session 12.



2) RDP Unsuccessful Logon (bad password) [FailLogon]

1024 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX is trying to connect to the server (192.168.1.179)

1028 Microsoft-Windows-TerminalServices-RDPClient/Operational Server supports SSL = supported

1029 Microsoft-Windows-TerminalServices-RDPClient/Operational Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

4648 Security A logon was attempted using explicit credentials.

226 Microsoft-Windows-TerminalServices-RDPClient/Operational RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

1105 Microsoft-Windows-TerminalServices-RDPClient/Operational The multi-transport connection has been disconnected.



3) RDP Session Disconnect (close window) [Close]

1105 Microsoft-Windows-TerminalServices-RDPClient/Operational The multi-transport connection has been disconnected.

1026 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX has been disconnected (Reason= 1)



4) RDP Session Disconnect (start -> disconnect) [Disconnect]

226 Microsoft-Windows-TerminalServices-RDPClient/Operational RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).

1105 Microsoft-Windows-TerminalServices-RDPClient/Operational The multi-transport connection has been disconnected.

1026 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX has been disconnected (Reason= 2)



5) RDP Session Reconnect [Reconnect]

1024 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX is trying to connect to the server (192.168.1.179)

1028 Microsoft-Windows-TerminalServices-RDPClient/Operational Server supports SSL = supported

1029 Microsoft-Windows-TerminalServices-RDPClient/Operational Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

226 Microsoft-Windows-TerminalServices-RDPClient/Operational RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

1105 Microsoft-Windows-TerminalServices-RDPClient/Operational The multi-transport connection has been disconnected.

1026 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX has been disconnected (Reason= 263)

1028 Microsoft-Windows-TerminalServices-RDPClient/Operational Server supports SSL = supported

1029 Microsoft-Windows-TerminalServices-RDPClient/Operational Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

1102 Microsoft-Windows-TerminalServices-RDPClient/Operational The client has initiated a multi-transport connection to the server 192.168.1.179.

1103 Microsoft-Windows-TerminalServices-RDPClient/Operational The client has established a multi-transport connection to the server.

1025 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX has connected to the server

1403 Microsoft-Windows-TerminalServices-RDPClient/Operational The client is using software memory for the frame buffer.

1401 Microsoft-Windows-TerminalServices-RDPClient/Operational The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).

1027 Microsoft-Windows-TerminalServices-RDPClient/Operational Connected to domain (SERVER-01) with session 16.

5058 Security Key file opertion.

5061 Security Cryptographic Opertion.

5059 Security Key migration operation.

5058 Security Key file opertion.

5061 Security Cryptographic Opertion.

5059 Security Key migration operation.

5058 Security Key file opertion.

5061 Security Cryptographic Opertion.

5059 Security Key migration operation.

4648 Security A logon was attempted using explicit credentials.

4648 Security A logon was attempted using explicit credentials.



6) RDP Session Logoff [Logoff]

226 Microsoft-Windows-TerminalServices-RDPClient/Operational RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).

1105 Microsoft-Windows-TerminalServices-RDPClient/Operational The multi-transport connection has been disconnected.

1026 Microsoft-Windows-TerminalServices-RDPClient/Operational RDP ClientActiveX has been disconnected (Reason= 2)



Verbose

1) RDP Successful Logon [Logon]

Event[0]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:40.011 Event ID: 1024 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX is trying to connect to the server (192.168.1.179)

Event[1]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:40.055 Event ID: 1028 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Server supports SSL = supported

Event[2]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:44.339 Event ID: 1029 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[1]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-19T18:00:44.388 Event ID: 4648 Task: Logon Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ServerUser01 Account Domain: Server-01 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: Server-01 Additional Information: Server-01 Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[3]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:44.390 Event ID: 226 Task: RDP State Transition Level: Warning Opcode: This event is raised during a state transition. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

Event[4]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:44.390 Event ID: 1105 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The multi-transport connection has been disconnected.

Event[5]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:46.757 Event ID: 1026 Task: Connection Sequence Level: Information Opcode: This event is raised during the disconnection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX has been disconnected (Reason= 263)

Event[6]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:46.780 Event ID: 1028 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Server supports SSL = supported

Event[7]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:46.781 Event ID: 1029 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[2]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-19T18:00:46.789 Event ID: 4648 Task: Logon Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ServerUser01 Account Domain: Server-01 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: Server-01 Additional Information: Server-01 Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[8]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:46.908 Event ID: 1102 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The client has initiated a multi-transport connection to the server 192.168.1.179.

Event[9]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:46.928 Event ID: 1103 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The client has established a multi-transport connection to the server.

Event[10]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:47.023 Event ID: 1025 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX has connected to the server

Event[11]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:47.259 Event ID: 1403 Task: RdClient Pipeline workspace Level: Information Opcode: This event is raised when protocol caps are received from the server. We log that hardware resources are not being used. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The client is using software memory for the frame buffer.

Event[12]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:47.267 Event ID: 1401 Task: RdClient Pipeline workspace Level: Information Opcode: This event is raised when protocol caps are received from the server. We log the version selected, and the client mode and AVC capability. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).

Event[13]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:00:48.938 Event ID: 1027 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Connected to domain (SERVER-01) with session 12.

2) RDP Unsuccessful Logon (bad password) [FailLogon]

Event[0]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:32:53.297 Event ID: 1024 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX is trying to connect to the server (192.168.1.179)

Event[1]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:32:53.341 Event ID: 1028 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Server supports SSL = supported

Event[2]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:32:54.703 Event ID: 1029 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[1]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-19T18:32:54.751 Event ID: 4648 Task: Logon Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ServerUser01 Account Domain: Server-01 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: Server-01 Additional Information: Server-01 Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[3]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:32:54.755 Event ID: 226 Task: RDP State Transition Level: Warning Opcode: This event is raised during a state transition. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

Event[4]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:32:54.755 Event ID: 1105 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The multi-transport connection has been disconnected.

3) RDP Session Disconnect (close window) [Close]

Event[0]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:51:12.411 Event ID: 1105 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The multi-transport connection has been disconnected.

Event[1]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-19T18:51:12.411 Event ID: 1026 Task: Connection Sequence Level: Information Opcode: This event is raised during the disconnection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX has been disconnected (Reason= 1)

4) RDP Session Disconnect (start -> disconnect) [Disconnect]

Event[0]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:23:47.607 Event ID: 226 Task: RDP State Transition Level: Warning Opcode: This event is raised during a state transition. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).

Event[1]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:23:47.607 Event ID: 1105 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The multi-transport connection has been disconnected.

Event[2]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:23:47.608 Event ID: 1026 Task: Connection Sequence Level: Information Opcode: This event is raised during the disconnection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX has been disconnected (Reason= 2)

5) RDP Session Reconnect [Reconnect]

Event[0]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:21.846 Event ID: 1024 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX is trying to connect to the server (192.168.1.179)

Event[1]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:21.886 Event ID: 1028 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Server supports SSL = supported

Event[2]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:25.590 Event ID: 1029 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[3]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:25.646 Event ID: 226 Task: RDP State Transition Level: Warning Opcode: This event is raised during a state transition. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

Event[4]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:25.647 Event ID: 1105 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The multi-transport connection has been disconnected.

Event[5]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:27.619 Event ID: 1026 Task: Connection Sequence Level: Information Opcode: This event is raised during the disconnection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX has been disconnected (Reason= 263)

Event[6]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:27.647 Event ID: 1028 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Server supports SSL = supported

Event[7]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:27.647 Event ID: 1029 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[8]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:27.776 Event ID: 1102 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The client has initiated a multi-transport connection to the server 192.168.1.179.

Event[9]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:27.798 Event ID: 1103 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The client has established a multi-transport connection to the server.

Event[10]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:28.036 Event ID: 1025 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDP ClientActiveX has connected to the server

Event[11]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:28.294 Event ID: 1403 Task: RdClient Pipeline workspace Level: Information Opcode: This event is raised when protocol caps are received from the server. We log that hardware resources are not being used. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The client is using software memory for the frame buffer.

Event[12]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:28.297 Event ID: 1401 Task: RdClient Pipeline workspace Level: Information Opcode: This event is raised when protocol caps are received from the server. We log the version selected, and the client mode and AVC capability. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).

Event[13]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-06-23T05:45:28.831 Event ID: 1027 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: Connected to domain (SERVER-01) with session 16.

Event[1]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:19.005 Event ID: 5058 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key file operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TB_2_bing.com Key Type: User key. Key File Operation Information: File Path: C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\887a471fc5377c5cbe6e38ac87d5a40f_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce Operation: Read persisted key from file. Return Code: 0x0

Event[2]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:19.007 Event ID: 5061 Task: System Integrity Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Cryptographic operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_bing.com Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0 Event[3]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:19.007 Event ID: 5059 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key migration operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_bing.com Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0

Event[4]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.035 Event ID: 5058 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key file operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TB_2_msedge.net Key Type: User key. Key File Operation Information: File Path: C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\cf5cb1723dccff2c0ea8430f59e66dc5_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce Operation: Read persisted key from file. Return Code: 0x0

Event[5]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.036 Event ID: 5061 Task: System Integrity Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Cryptographic operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_msedge.net Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0

Event[6]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.036 Event ID: 5059 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key migration operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_msedge.net Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0

Event[7]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.452 Event ID: 5058 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key file operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TB_2_footprintdns.com Key Type: User key. Key File Operation Information: File Path: C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\0864bb47f2eb5792242e292f093bd059_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce Operation: Read persisted key from file. Return Code: 0x0

Event[8]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.453 Event ID: 5061 Task: System Integrity Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Cryptographic operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_footprintdns.com Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0

Event[9]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.453 Event ID: 5059 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key migration operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_footprintdns.com Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0

Event[10]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.610 Event ID: 5058 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key file operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TB_2_msedge.net Key Type: User key. Key File Operation Information: File Path: C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\cf5cb1723dccff2c0ea8430f59e66dc5_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce Operation: Read persisted key from file. Return Code: 0x0

Event[11]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.611 Event ID: 5061 Task: System Integrity Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Cryptographic operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_msedge.net Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0

Event[12]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:22.611 Event ID: 5059 Task: Other System Events Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: Key migration operation. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Process Information: Process ID: 5544 Process Creation Time: ?2018?-?06?-?09T11:49:11.506100500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: TB_2_msedge.net Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0

Event[13]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:25.643 Event ID: 4648 Task: Logon Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ServerUser01 Account Domain: Server-01 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: Server-01 Additional Information: Server-01 Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[14]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2018-06-23T05:45:27.657 Event ID: 4648 Task: Logon Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: DESKTOP-35JV6J4 Description: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-2773257397-1885399017-559746253-1001 Account Name: User Account Domain: DESKTOP-35JV6J4 Logon ID: 0x21BCB Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ServerUser01 Account Domain: Server-01 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: Server-01 Additional Information: Server-01 Process Information: Process ID: 0x280 Process Name: C:\Windows\System32\lsass.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

6) RDP Session Logoff [Logoff]

Event[0]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-08-01T16:18:08.853 Event ID: 226 Task: RDP State Transition Level: Warning Opcode: This event is raised during a state transition. Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).

Event[1]: Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational Source: Microsoft-Windows-TerminalServices-ClientActiveXCore Date: 2018-08-01T16:18:08.853 Event ID: 1105 Task: Connection Sequence Level: Information Opcode: This event is raised during the connection process Keyword: N/A User: S-1-5-21-2773257397-1885399017-559746253-1001 User Name: DESKTOP-35JV6J4\User Computer: DESKTOP-35JV6J4 Description: The multi-transport connection has been disconnected.