April 26, 2024
The 4624_4625 login events query provides defenders, specifically analysts, with a useful tool for both identifying successful RDP logins (Windows Security Log Event 4624) and failed attempts (Windows Security Log Event 4625). These events can be generated by systems, domain controllers, and workstations.
These Windows events are visible in Event Viewer, of course, but in this post (and in the companion video we’ve put on our YouTube channel) we’ll demonstrate our analysis using Sophos Central. The SQL query we’ll use below is available to all on our Github.
Building and executing the query
The SQL query we’ll be working with looks like this:
SELECT
strftime(‘%Y-%m-%dT%H:%M:%SZ’,datetime) AS date_time,
eventid AS EventID,
CASE
WHEN eventid = 4624 THEN eventid
4909 Murphy Canyon Road Suite, 500
San Diego, CA 92123
Store
Company
Support
Newsletter
