Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.