EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4778Audit SuccessSecurity

Windows Event ID 4778Session Reconnected to Window Station

Logged when a user reconnects to an existing Remote Desktop session. Indicates RDP re-connection activity.

Why It Matters

Unexpected RDP reconnections — especially to systems that shouldn't have remote access enabled — can indicate an attacker re-establishing a dormant foothold.

Key Fields

Account NameThe user reconnecting
Client Name / Client AddressThe system they are connecting from
Session NameRDP-Tcp#0 etc.

Investigation Tips

  1. 1.Compare the Client Address to known admin workstations — unexpected IPs warrant investigation.
  2. 2.Off-hours reconnections to servers or domain controllers are high-priority alerts.

Related Event IDs

4779Session disconnected from Window Station
4624Logon event for the original session

See Event ID 4778 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects session reconnected to window station patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →