Remote Connection Manager – Event 261

“Connection Received”

Published on May 24, 2023
Last updated on July 20, 2023

What Is It?

This event is created when a network connection is made to the Remote Desktop service.

The Remote Connection Manager is responsible for accepting Windows RDP connections and is part of the Remote Desktop Service. It listens on TCP port 3389 by default.

Artifact Family

This event is in the Inbound Logon artifact family. It is related to incoming Windows RDP connections.

When Does It Get Created?

This event is created when a network connection is made and data is sent to the port. In our testing (on Windows 10), it does not need to be a legitimate RDP connection. Any TCP connection that sends random data to it will cause the event to be generated.

What Data Is Stored?

The event contains only basic information that comes from the local host (not the connecting host).

Examples include:

  • Time
  • Process ID of the Remote Desktop Service
  • Local host name

The event DOES NOT contain remote host information or which local user account was being used.

Relevance to DFIR?

This event has minimal DFIR value because it shows only that a connection was made, but doesn’t provide any context about where the connection was from or if it was successful.

If one sees a large number of these events with no corresponding Event ID 1149, then it could be a sign of a series of failed logins or it could be from some form of network scan. But, other logs, such as Security, should have more specific reasons about the conclusion of the logon attempt.

The potential value of this event is when the Security log is wiped or has rolled over and its events from the time period being investigated are gone. This log could then be useful (if it exists) to get some ideas about what happened. With default settings, this log file goes back much further than Security will.

Usage in Cyber Triage

Cyber Triage collects and parses the Remote Connection Manager event log, but doesn’t use this specific event because it doesn’t provide any unique value that can be linked to other logon sessions.