Windows RDPClient Connection Sequence Events

name: Windows RDPClient Connection Sequence Events
id: 67340df1-3f1d-4470-93c8-9ac7249d11b0
version: 9
creation_date: '2024-11-25'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.
data_source:
    - Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
search: |-
    `wineventlog_rdp` EventCode=1024
      | rename host as dest
      | stats count as "Event Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages
        BY dest, source, LogName,
           EventCode, category
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_rdpclient_connection_sequence_events_filter`
how_to_implement: To successfully implement this detection, ensure Windows RDP Client Operational logs are being collected and forwarded to Splunk. Enable logging for "Microsoft-Windows-TerminalServices-RDPClient/Operational", via a new inputs.conf input. See references for more details.
known_false_positives: Legitimate RDP connections from authorized administrators and users will generate these events. To reduce false positives, you should baseline normal RDP connection patterns in your environment, whitelist expected RDP connection chains between known administrative workstations and servers, and track authorized remote support sessions.
references:
    - https://gist.github.com/MHaggis/acd5dcbf1d4fb705b77f0a48e772eefc
    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: A Windows RDP client initiated a connection sequence event (EventCode 1024) on host $dest$.
analytic_story:
    - Spearphishing Attachments
    - Windows RDP Artifacts and Defense Evasion
asset_type: Endpoint
mitre_attack_id:
    - T1133
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1133/rdp/terminalservices-rdpclient.log
          sourcetype: WinEventLog
          source: WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational
      test_type: unit