Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Sigma rule (View on GitHub)
1title: Denied Access To Remote Desktop
2id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
3status: test
4description: |
5 This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
6 Often, this event can be generated by attackers when searching for available windows servers in the network.
7references:
8 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
9author: Pushkarev Dmitry
10date: 2020-06-27
11modified: 2021-11-27
12tags:
13 - attack.lateral-movement
14 - attack.t1021.001
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4825
21 condition: selection
22falsepositives:
23 - Valid user was not added to RDP group
24level: medium
References
-
Windows Security Log Event ID 4825 Operating Systems Windows 2016 and 10 Windows Server 2019 and 2022 Category • SubcategorySystem • Other System Events Type Success Corresponding events in Windo...
Read More
Related rules
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE
- RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
- User Added to Remote Desktop Users Group
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- Port Forwarding Activity Via SSH.EXE