Splunk Searches
NOTE: I will provide here general search templates. The exact conditions can be adjusted to best suit the task at hand.
Evidence of Authentication
EventID 4648: A logon was attempted using explicit credentials
Event Description: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
Evidence of RDP Connection from the point of view of the source system
index=*event-logEventID=4648TargetServerName IN ("*SERVER1*", "*SERVER2*")TargetInfo IN ("TERMSRV*")NOT "*$"NOT SubjectUserName IN ("LOCAL SERVICE")| rename host as logging_host, IpAddress as src_ip| table _time, EventID, logging_host, src_ip, SubjectUserName, TargetUserName, TargetServerName, TargetInfo, ProcessName
Evidence of RDP from the point of view of the source and destination systems
index=*event-logEventID=4648TargetServerName IN ("*SERVER1*", "*SERVER2*")TargetInfo IN ("TERMSRV*")NOT "*$"NOT SubjectUserName IN ("LOCAL SERVICE")| rename host as logging_host, IpAddress as src_ip| table _time, EventID, logging_host, src_ip, SubjectUserName, TargetUserName, TargetServerName, TargetInfo, ProcessName| append [ search index=*event-log EventID=4624 Logon_Type=10 (host="SERVER1" OR host="SERVER2") | rename host as TargetServerName | table _time, EventID, src_ip, TargetUserName, TargetServerName, ProcessName ]