question

JrmyBeaugeard-2203 avatar image
0 Votes"
JrmyBeaugeard-2203 asked dstaulcu edited

SYSMON Event ID 3 - RDP logon issue : "Initiated" field allways false

Hello,

I have an issue with Sysmon event ID 3. This event is related to network connections. When i logon to my windows client via RDP, sysmon shows this log event :

126336-image.png


As you can see the "Initiated" field is set to false. There is no difference between this event and the RDP connection failure. Should the "Initiated" field not be set to true in this case ?

Note : I use my AD credentials to log myself.

Thanks,

Jeremy

windows-sysinternals-sysmon
image.png (19.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sysmon is simply reporting that a network connection relating to a port (associated with RDP) was established and initiated locally. If the network connection had been initiated remotely initiated would have been false. Sysmon does not get into the details of whether a full RDP session was successful and therefore initiated should not be influenced in that way.

Try initiating test-connection to the the same port via powershell from a remote computer. Does initiated value flip in that case?

1 Vote 1 ·

Thanks for the precise answer.
So there is no way of using Sysmon alone to monitor those windows logs.

0 Votes 0 ·
dstaulcu avatar image dstaulcu JrmyBeaugeard-2203 ·

Can you be more specific about what you want to monitor? Is it failed/successful RDP logon attempts?
There are a whole bunch of windows event log types which relate to remote connections. Maybe some of those have what you need.
I made the following powershell script a while back to simplify discovery of potential logs to collect. Maybe that would be helpful for you.
Here's a gif demonstrating how it works.

0 Votes 0 ·

0 Answers