Remote Desktop Protocol: Executing the 4624_4625 Login Query

The 4624_4625 login events query provides defenders, specifically analysts, with a useful tool for both identifying successful RDP logins (Windows Security Log Event 4624) and failed attempts (Windows Security Log Event 4625). These events can be generated by systems, domain controllers, and workstations.  

These Windows events are visible in Event Viewer, of course, but in this post (and in the companion video we’ve put on our YouTube channel) we’ll demonstrate our analysis using Sophos Central. The SQL query we’ll use below is available to all on our Github. 

Building and executing the query

The SQL query we’ll be working with looks like this:

strftime(‘%Y-%m-%dT%H:%M:%SZ’,datetime) AS date_time,
eventid AS EventID,
WHEN eventid = 4624 THEN eventid

Latest Posts