Failed Windows Remote Desktop Connection Attempt

WinEventLog:Security
SplunkNinja
You already voted!

The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons.

Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/

Windows Server 2008 and Newer:

source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s" | stats count by Date, TargetAccount, Failure_Reason, host | sort - Date

Windows Server 2003 and Older:

source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval Date=strftime(_time, "%Y/%m/%d") | sort - Date

Splunk Query Repository

Failed Windows Remote Desktop Connection Attempt

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Failed Windows Remote Desktop Connection Attempt

Related Queries

DLL Serach Oreder Hijacking (mitre : T1574.001)

Search for disabled AD accounts that have been re-enabled

Zerologon Detection (CVE-2020-1472)

Leave A Comment? Click here to cancel reply.