RDPGraph: Making Windows Event Logs Tell the Story

Every incident responder has experienced this scenario.

A suspicious alert arrives. Something is moving through the network. You reach for your telemetry and discover there's no SIEM, no NetFlow, and no centralized logging infrastructure.

All that's left are Windows event logs scattered across multiple hosts.

The investigation becomes a manual process:

  • Opening Event Viewer on one system after another
  • Searching through thousands of log entries
  • Correlating logon events across hosts
  • Attempting to reconstruct attacker movement from fragmented evidence

While you're piecing together the puzzle, the attacker keeps moving.

That's exactly why RDPGraph was created.

What Is RDPGraph?

RDPGraph is a free and open-source incident response tool that analyzes Windows Event Logs and automatically maps Remote Desktop Protocol (RDP) relationships across an environment.

Instead of manually reviewing thousands of authentication events, responders can visualize activity through an interactive graph inspired by BloodHound.

The result is a clear view of how users and systems are connected through RDP sessions.

Key Capabilities

Visualize Lateral Movement

Quickly identify how an attacker moved through the environment by viewing RDP connections as a graph.

Track User Activity

See which accounts authenticated to which systems and understand the paths taken across hosts.

Identify Failed Logons

Spot suspicious authentication attempts and failed RDP logins that may indicate brute-force activity or attacker reconnaissance.

Accelerate Incident Response

Pinpoint compromised systems, attacker-controlled hosts, and high-risk connections to support rapid containment and remediation.

Supported Event Sources

RDPGraph parses the Windows event channels most relevant to RDP investigations, including:

Security Log

  • Event ID 4624 (Successful Logon)
  • Event ID 4625 (Failed Logon)
  • Event ID 4634 (Logoff)
  • Event ID 4778 (Session Reconnect)

Terminal Services

  • LocalSessionManager events

RemoteConnectionManager

  • Event ID 1149 (Remote Desktop authentication and source IP information)

By correlating these events across multiple systems, RDPGraph reconstructs a complete picture of RDP activity within the environment.

Why It Matters

During many investigations, Windows event logs are the only reliable source of evidence available.

Manually analyzing them is time-consuming, error-prone, and difficult to scale.

RDPGraph turns hours of Event Viewer analysis into a visual investigation workflow that helps responders:

  • Understand attacker behavior faster
  • Detect lateral movement
  • Scope incidents more accurately
  • Reduce investigation time
  • Improve containment decisions

Open Source and Free

RDPGraph is released under the MIT License and is freely available to the security community.

Built by incident responders for incident responders, it is designed to help defenders work more effectively when time matters most.

GitHub Repository

Link:https://github.com/RedSideSecurity/rdpgraph

When the network goes quiet and Windows event logs are all you have left, RDPGraph helps turn those logs into actionable intelligence.