EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Windows RDP Connection Successful

The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.

MITRE ATT&CK

T1563.002

Detection Query

`remoteconnectionmanager` EventCode=1149
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY Computer, user_id
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | rename Computer as dest
  | `windows_rdp_connection_successful_filter`

Author

Michael Haag, Splunk

Created

2026-02-25

Data Sources

Windows Event Log RemoteConnectionManager 1149

References

Tags

Active Directory Lateral MovementBlackByte RansomwareWindows RDP Artifacts and Defense EvasionInterlock RansomwareNetSupport RMM Tool Abuse
Raw Content
name: Windows RDP Connection Successful
id: ceaed840-56b3-4a70-b8e1-d762b1c5c08c
version: 10
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Hunting
data_source:
    - Windows Event Log RemoteConnectionManager 1149
description: The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.
search: |-
    `remoteconnectionmanager` EventCode=1149
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY Computer, user_id
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | rename Computer as dest
      | `windows_rdp_connection_successful_filter`
how_to_implement: The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.
known_false_positives: False positives will be present, filter as needed or restrict to critical assets on the perimeter.
references:
    - https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706
    - https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
tags:
    analytic_story:
        - Active Directory Lateral Movement
        - BlackByte Ransomware
        - Windows RDP Artifacts and Defense Evasion
        - Interlock Ransomware
        - NetSupport RMM Tool Abuse
    asset_type: Endpoint
    atomic_guid: []
    mitre_attack_id:
        - T1563.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log
          source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
          sourcetype: XmlWinEventLog