What Is It?
This event is created when a network connection is made to the Remote Desktop service.
- Event Log: Remote Connection Manager log
- Event ID: 261
- Event Description: “Listener RDP-Tcp received a connection”
The Remote Connection Manager is responsible for accepting Windows RDP connections and is part of the Remote Desktop Service. It listens on TCP port 3389 by default.
Artifact Family
This event is in the Inbound Logon artifact family. It is related to incoming Windows RDP connections.
When Does It Get Created?
This event is created when a network connection is made and data is sent to the port. In our testing (on Windows 10), it does not need to be a legitimate RDP connection. Any TCP connection that sends random data to it will cause the event to be generated.
What Data Is Stored?
The event contains only basic information that comes from the local host (not the connecting host).
Examples include:
- Time
- Process ID of the Remote Desktop Service
- Local host name
The event DOES NOT contain remote host information or which local user account was being used.
Relevance to DFIR?
This event has minimal DFIR value because it shows only that a connection was made, but doesn’t provide any context about where the connection was from or if it was successful.
If one sees a large number of these events with no corresponding Event ID 1149, then it could be a sign of a series of failed logins or it could be from some form of network scan. But, other logs, such as Security, should have more specific reasons about the conclusion of the logon attempt.
The potential value of this event is when the Security log is wiped or has rolled over and its events from the time period being investigated are gone. This log could then be useful (if it exists) to get some ideas about what happened. With default settings, this log file goes back much further than Security will.
Usage in Cyber Triage
Cyber Triage collects and parses the Remote Connection Manager event log, but doesn’t use this specific event because it doesn’t provide any unique value that can be linked to other logon sessions.
