tl;dr
Check the Microsoft-Windows-TerminalServices-LocalSessionManager and Microsoft-Windows-TerminalServices-RemoteConnectionManager logs for events relating to user logon/logoff.
Terminal Services events are logged for users that are accessing the machine locally.
You should require Network Level Authentication for RDP access to all your Windows machines to stop intruders using the “Sticky Keys” technique to retain access to machines.
Intruders can leak usernames and domains from their internal network and other victims in Microsoft-Windows-TerminalServices-RemoteConnectionManager ID 1149 events.
more here.........http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html
Check the Microsoft-Windows-TerminalServices-LocalSessionManager and Microsoft-Windows-TerminalServices-RemoteConnectionManager logs for events relating to user logon/logoff.
Terminal Services events are logged for users that are accessing the machine locally.
You should require Network Level Authentication for RDP access to all your Windows machines to stop intruders using the “Sticky Keys” technique to retain access to machines.
Intruders can leak usernames and domains from their internal network and other victims in Microsoft-Windows-TerminalServices-RemoteConnectionManager ID 1149 events.
more here.........http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html