Skip to content

[Osquery_manager] RDP artifact saved query #17003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tomsonpl wants to merge 2 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] RDP artifact saved query #17003

tomsonpl wants to merge 2 commits into from
+175 −2

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Jan 20, 2026
edited
Loading

RDP Authentication Events

Comprehensive Remote Desktop Protocol (RDP) authentication and session tracking query for Windows forensic analysis. This query provides complete visibility into RDP activity by monitoring four distinct Windows event log channels, enabling detection of lateral movement, unauthorized access attempts, and session hijacking.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 RDP Authentication Windows rdp_authentication_windows_elastic d8d79510 RDP logon/logoff events, session tracking, and lateral movement detection

Queries by Platform

🪟 Windows - RDP Authentication and Session Tracking

Description

Monitors Windows Event Logs across four channels to provide comprehensive RDP session visibility. Captures successful and failed authentication attempts, session connections/disconnections, and session lifecycle events critical for detecting lateral movement and unauthorized remote access.

Detection Focus:

  • RDP brute force attacks (failed logon attempts - Event ID 4625)
  • Lateral movement via RDP (successful remote logons - Event ID 4624 with LogonType 10)
  • Session hijacking indicators (reconnection patterns - Event IDs 4778, 25)
  • Unauthorized remote access (RDP initiation from unexpected sources - Event ID 1149)
  • Session persistence analysis (connect/disconnect patterns)
  • Network logon correlation (LogonType 3 events)

Event Coverage:

Channel Event IDs Purpose
Security 4624, 4625, 4634, 4647, 4778, 4779 Authentication events (LogonType 3, 7, 10)
TerminalServices-LocalSessionManager 21, 22, 23, 24, 25, 39, 40 RDP session lifecycle
TerminalServices-RemoteConnectionManager 1149 RDP connection initiation
System 9009 Desktop Window Manager closure

Result

Screenshot 2026-01-20 at 11 39 07

Query results include event timestamps, usernames, source IPs, logon types, and human-readable event descriptions (e.g., RDP_LOGON_SUCCESSFUL_NEW, SESSION_RECONNECTED, RDP_LOGON_FAILED) for rapid analyst triage.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

rdp_authentication_windows_elastic

ECS Field Mappings

  • event.category["authentication"] (static)
  • event.actionosquery.rdp_authentication (static)
  • event.codeeventid
  • event.reasonevent_description
  • host.hostnamecomputer_name
  • user.nameuser_name
  • user.domaindomain_name
  • source.ipsource_ip
  • source.portsource_port
  • log.levellevel
  • process.pidpid
  • winlog.channelchannel
  • winlog.logon.typelogon_type
  • winlog.logon.idlogon_id
  • winlog.event_data.WorkstationNameworkstation_name
  • winlog.event_data.LogonProcessNamelogon_process
  • winlog.event_data.AuthenticationPackageNameauth_package
  • winlog.event_data.SubjectUserNamesubject_user
  • winlog.event_data.SubjectDomainNamesubject_domain
  • winlog.event_data.Statusstatus_code
  • winlog.event_data.SubStatussub_status_code
  • winlog.event_data.FailureReasonfailure_reason
  • tags["osquery", "rdp", "authentication", "lateral_movement", "windows"] (static)

SQL Query

-- Windows RDP Authentication and Session Events
-- Coverage: Security, System, and TerminalServices event logs
--
-- Security Channel Events:
--   4624 (LogonType 3,7,10): Successful logon
--   4625: Failed logon
--   4634: Logoff
--   4647: User-initiated logoff
--   4778: Session reconnect
--   4779: Session disconnect
--
-- TerminalServices-LocalSessionManager/Operational:
--   21: RDP Local Connected
--   22: RDP Remote Connected
--   23: RDP Session Logoff
--   24: RDP Local Disconnected
--   25: RDP Remote Reconnection
--   39: RDP Remote Disconnected (Formal)
--   40: RDP Remote Disconnected (Reason)
--
-- TerminalServices-RemoteConnectionManager/Operational:
--   1149: RDP Initiation Successful
--
-- System Channel:
--   9009: Desktop Window Manager Closed

-- Part 1: Security Channel - Authentication Events
SELECT
    datetime AS event_time,
    computer_name,
    'Security' AS channel,
    eventid,
    provider_name,
    level,
    json_extract(data, '$.EventData.TargetDomainName') AS domain_name,
    json_extract(data, '$.EventData.TargetUserName') AS user_name,
    json_extract(data, '$.EventData.LogonType') AS logon_type,
    json_extract(data, '$.EventData.IpAddress') AS source_ip,
    json_extract(data, '$.EventData.IpPort') AS source_port,
    json_extract(data, '$.EventData.WorkstationName') AS workstation_name,
    json_extract(data, '$.EventData.LogonProcessName') AS logon_process,
    json_extract(data, '$.EventData.AuthenticationPackageName') AS auth_package,
    json_extract(data, '$.EventData.TargetLogonId') AS logon_id,
    json_extract(data, '$.EventData.SubjectUserName') AS subject_user,
    json_extract(data, '$.EventData.SubjectDomainName') AS subject_domain,
    json_extract(data, '$.EventData.Status') AS status_code,
    json_extract(data, '$.EventData.SubStatus') AS sub_status_code,
    json_extract(data, '$.EventData.FailureReason') AS failure_reason,
    CASE
        WHEN eventid = 4624 AND json_extract(data, '$.EventData.LogonType') = '10' THEN 'RDP_LOGON_SUCCESSFUL_NEW'
        WHEN eventid = 4624 AND json_extract(data, '$.EventData.LogonType') = '3' THEN 'LOGON_SUCCESSFUL_NETWORK'
        WHEN eventid = 4624 AND json_extract(data, '$.EventData.LogonType') = '7' THEN 'LOGON_SUCCESSFUL_UNLOCK'
        WHEN eventid = 4625 AND json_extract(data, '$.EventData.LogonType') = '10' THEN 'RDP_LOGON_FAILED'
        WHEN eventid = 4625 AND json_extract(data, '$.EventData.LogonType') = '3' THEN 'LOGON_FAILED_NETWORK'
        WHEN eventid = 4634 THEN 'LOGOFF_DISCONNECT'
        WHEN eventid = 4647 THEN 'USER_INITIATED_LOGOFF'
        WHEN eventid = 4778 THEN 'SESSION_RECONNECTED'
        WHEN eventid = 4779 THEN 'SESSION_DISCONNECTED'
        ELSE 'UNKNOWN_' || eventid
    END AS event_description,
    pid,
    data
FROM windows_eventlog
WHERE
    channel = 'Security'
    AND (
        (eventid IN (4624, 4634) AND json_extract(data, '$.EventData.LogonType') IN ('3', '7', '10'))
        OR eventid IN (4778, 4625, 4779, 4647)
    )

UNION ALL

-- Part 2: TerminalServices-LocalSessionManager - RDP Session Events
SELECT
    datetime AS event_time,
    computer_name,
    'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AS channel,
    eventid,
    provider_name,
    level,
    COALESCE(
        SUBSTR(json_extract(data, '$.UserData.EventXML.User'), 1, INSTR(json_extract(data, '$.UserData.EventXML.User'), '\\') - 1),
        json_extract(data, '$.UserData.EventXML.Param2')
    ) AS domain_name,
    COALESCE(
        SUBSTR(json_extract(data, '$.UserData.EventXML.User'), INSTR(json_extract(data, '$.UserData.EventXML.User'), '\\') + 1),
        json_extract(data, '$.UserData.EventXML.Param1')
    ) AS user_name,
    NULL AS logon_type,
    COALESCE(
        json_extract(data, '$.UserData.EventXML.Address'),
        json_extract(data, '$.UserData.EventXML.Param3')
    ) AS source_ip,
    NULL AS source_port,
    NULL AS workstation_name,
    NULL AS logon_process,
    NULL AS auth_package,
    json_extract(data, '$.UserData.EventXML.SessionID') AS logon_id,
    NULL AS subject_user,
    NULL AS subject_domain,
    NULL AS status_code,
    NULL AS sub_status_code,
    json_extract(data, '$.UserData.EventXML.Reason') AS failure_reason,
    CASE eventid
        WHEN 21 THEN 'RDP_LOCAL_CONNECTED'
        WHEN 22 THEN 'RDP_REMOTE_CONNECTED'
        WHEN 23 THEN 'RDP_SESSION_LOGOFF'
        WHEN 24 THEN 'RDP_LOCAL_DISCONNECTED'
        WHEN 25 THEN 'RDP_REMOTE_RECONNECTION'
        WHEN 39 THEN 'RDP_REMOTE_DISCONNECTED_FORMAL'
        WHEN 40 THEN 'RDP_REMOTE_DISCONNECTED_REASON'
        ELSE 'UNKNOWN_TSL_' || eventid
    END AS event_description,
    pid,
    data
FROM windows_eventlog
WHERE
    channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
    AND eventid IN (21, 22, 23, 24, 25, 39, 40)

UNION ALL

-- Part 3: TerminalServices-RemoteConnectionManager - RDP Initiation
SELECT
    datetime AS event_time,
    computer_name,
    'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' AS channel,
    eventid,
    provider_name,
    level,
    json_extract(data, '$.UserData.EventXML.Param2') AS domain_name,
    json_extract(data, '$.UserData.EventXML.Param1') AS user_name,
    NULL AS logon_type,
    json_extract(data, '$.UserData.EventXML.Param3') AS source_ip,
    NULL AS source_port,
    NULL AS workstation_name,
    NULL AS logon_process,
    NULL AS auth_package,
    NULL AS logon_id,
    NULL AS subject_user,
    NULL AS subject_domain,
    NULL AS status_code,
    NULL AS sub_status_code,
    NULL AS failure_reason,
    'RDP_INITIATION_SUCCESSFUL' AS event_description,
    pid,
    data
FROM windows_eventlog
WHERE
    channel = 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
    AND eventid = 1149

UNION ALL

-- Part 4: System Channel - Desktop Window Manager Closed
SELECT
    datetime AS event_time,
    computer_name,
    'System' AS channel,
    eventid,
    provider_name,
    level,
    NULL AS domain_name,
    NULL AS user_name,
    NULL AS logon_type,
    NULL AS source_ip,
    NULL AS source_port,
    NULL AS workstation_name,
    NULL AS logon_process,
    NULL AS auth_package,
    NULL AS logon_id,
    NULL AS subject_user,
    NULL AS subject_domain,
    NULL AS status_code,
    NULL AS sub_status_code,
    NULL AS failure_reason,
    'DESKTOPWINDOWMANAGER_CLOSED' AS event_description,
    pid,
    data
FROM windows_eventlog
WHERE
    channel = 'System'
    AND eventid = 9009

ORDER BY event_time DESC;

@tomsonpl
Add Windows RDP authentication and session tracking osquery
4f378e9 
  - Query Security channel
  - Query TerminalServices-LocalSessionManager
  - Query TerminalServices-RemoteConnectionManager
  - Query System channel
  - ECS mappings for authentication and winlog fields
@tomsonpl tomsonpl requested a review from a team as a code owner January 20, 2026 10:47
@tomsonpl tomsonpl requested review from a team, calladoum-elastic, ferullo, joeypoon and szwarckonrad and removed request for a team January 20, 2026 10:47
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows] labels Jan 20, 2026
@tomsonpl tomsonpl removed request for a team, joeypoon and szwarckonrad January 20, 2026 13:28
@elasticmachine
Copy link

elasticmachine commented Jan 20, 2026

💔 Build Failed

Failed CI Steps

History

ferullo
ferullo requested changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@ferullo ferullo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor thing

...manager/kibana/osquery_saved_query/osquery_manager-d8d79510-6f58-44e1-b7fc-63a073158096.json
}
},
{
"key": "host.hostname",
Copy link
Contributor

@ferullo ferullo Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ferullo ferullo ferullo requested changes

@calladoum-elastic calladoum-elastic Awaiting requested review from calladoum-elastic

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tomsonpl @elasticmachine @ferullo @andrewkroh