Destination System Artifacts - Quick Reference

Security Event Log – security.evtx

  • 4624 Logon Type 10

    • Source IP/Logon User Name

  • 4778/4779

    • IP Address of Source/Source System Name

    • Logon User Name

Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx

  • 131 – Connection Attempts

    • Source IP

  • 98 – Successful Connections

Microsoft-Windows-Terminal Services-RemoteConnection Manager%4Operational.evtx

  • 1149

    • Source IP/Logon User Name

      • Blank user name may indicate use of Sticky Keys

Microsoft-Windows-Terminal Services-LocalSession Manager%4Operational.evtx

  • 21, 22, 25

    • Source IP/Logon User Name

  • 41

    • Logon User Name

PreviousSource System Artifacts - Quick ReferenceNextSSH

Last updated

Was this helpful?