Skip to content
.evtx

Posts tagged "{tag}": #rdp

← Back to blog
Detecting RDP lateral movement in event logs
How attackers move host-to-host over RDP and the event-log trail it leaves — chaining RDPClient 1024 to RemoteConnectionManager 1149, spotting jump-host fan-out, restricted-admin and tunnelled RDP, and the gaps to watch for.
evtxdfirrdplateral-movement
Did someone RDP into this host? A step-by-step investigation
A practical workflow for answering 'was there a remote desktop session' from EVTX alone — which logs to pull, which event IDs to filter, how to confirm a real interactive session, and how to read the source and timing.
evtxdfirrdpincident-response
RDP forensics: the complete event-log picture
Every Windows event a Remote Desktop session leaves behind, across four logs — 1149, LocalSessionManager 21/22/24/25, Security 4624 type 10 and 4778/4779 — and how they fit together into one timeline.
evtxdfirrdplateral-movement