Windows Event ID 4779 – Microsoft-Windows-Security-Auditing: User Session Disconnected

Start by examining the specific 4779 event details to understand the disconnection context and gather forensic information.

1. Open Event Viewer → Windows Logs → Security

2. Filter for Event ID 4779 using the filter option or search functionality

3. Double-click the event to view detailed information including:

• Subject Security ID and Account Name
• Logon ID (correlates with logon events)
• Session Name and Source Network Address
• Additional Details tab for extended information

4. Note the timestamp and compare with related events like 4778 (session reconnected) or 4634 (logoff)

Use PowerShell to extract and analyze 4779 events for patterns, frequency, and correlation with other security events.

1. Query recent disconnection events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4779} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='SourceIP';Expression={$_.Properties[5].Value}}

2. Analyze disconnection patterns for specific users:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4779} | Where-Object {$_.Properties[1].Value -like '*username*'} | Group-Object @{Expression={$_.Properties[5].Value}} | Sort-Object Count -Descending

3. Correlate with logon events to calculate session duration:

$logons = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624}
$disconnects = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4779}
$correlatedSessions = $disconnects | ForEach-Object {
    $logonId = $_.Properties[2].Value
    $matchingLogon = $logons | Where-Object {$_.Properties[7].Value -eq $logonId}
    if ($matchingLogon) {
        [PSCustomObject]@{
            User = $_.Properties[1].Value
            LogonTime = $matchingLogon.TimeCreated
            DisconnectTime = $_.TimeCreated
            Duration = $_.TimeCreated - $matchingLogon.TimeCreated
            SourceIP = $_.Properties[5].Value
        }
    }
}

Enhance 4779 event collection and analysis through advanced audit policy configuration and centralized logging setup.

1. Verify audit policy settings using Group Policy or local security policy:

Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Logon/Logoff

2. Enable detailed logon auditing:

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

3. Configure Windows Event Forwarding for centralized collection:

# On collector server
wecutil qc
# Create subscription for security events
wecutil cs subscription.xml

4. Set up custom event log size and retention:

wevtutil sl Security /ms:1073741824
wevtutil sl Security /rt:false

5. Create scheduled task for automated 4779 analysis:

$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\Analyze4779Events.ps1'
$trigger = New-ScheduledTaskTrigger -Daily -At '06:00'
Register-ScheduledTask -TaskName 'Daily4779Analysis' -Action $action -Trigger $trigger

Perform advanced forensic analysis to identify potential security threats or policy violations based on 4779 event patterns.

1. Identify unusual disconnection frequencies:

$timeframe = (Get-Date).AddDays(-7)
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4779; StartTime=$timeframe}
$suspiciousUsers = $events | Group-Object @{Expression={$_.Properties[1].Value}} | Where-Object {$_.Count -gt 100} | Sort-Object Count -Descending

2. Analyze off-hours access patterns:

$offHoursEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4779} | Where-Object {
    $hour = $_.TimeCreated.Hour
    $hour -lt 6 -or $hour -gt 22 -or $_.TimeCreated.DayOfWeek -in @('Saturday','Sunday')
}

3. Check for rapid reconnection patterns (potential brute force):

$rapidReconnects = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4778,4779)} | Sort-Object TimeCreated | Group-Object @{Expression={$_.Properties[1].Value}} | ForEach-Object {
    $userEvents = $_.Group | Sort-Object TimeCreated
    for ($i = 1; $i -lt $userEvents.Count; $i++) {
        $timeDiff = ($userEvents[$i].TimeCreated - $userEvents[$i-1].TimeCreated).TotalMinutes
        if ($timeDiff -lt 2) {
            [PSCustomObject]@{
                User = $_.Name
                Event1 = $userEvents[$i-1].Id
                Event2 = $userEvents[$i].Id
                TimeDifference = $timeDiff
                Timestamp = $userEvents[$i].TimeCreated
            }
        }
    }
}

4. Cross-reference with failed logon attempts:

$failedLogons = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625}
$disconnections = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4779}
$correlatedThreats = $disconnections | ForEach-Object {
    $disconnectTime = $_.TimeCreated
    $sourceIP = $_.Properties[5].Value
    $relatedFailures = $failedLogons | Where-Object {
        $_.Properties[19].Value -eq $sourceIP -and
        [Math]::Abs(($_.TimeCreated - $disconnectTime).TotalMinutes) -lt 30
    }
    if ($relatedFailures) {
        [PSCustomObject]@{
            SourceIP = $sourceIP
            DisconnectTime = $disconnectTime
            FailedAttempts = $relatedFailures.Count
            User = $_.Properties[1].Value
        }
    }
}

Deploy automated monitoring and response mechanisms for critical 4779 event patterns that may indicate security incidents.

1. Create custom Windows Performance Toolkit (WPT) data collector set:

$dataCollectorSet = New-Object -ComObject Pla.DataCollectorSet
$dataCollectorSet.DisplayName = "RDP Disconnection Monitor"
$dataCollectorSet.RootPath = "C:\PerfLogs\RDPMonitor"
$dataCollectorSet.Commit("RDPDisconnectMonitor", $null, 0x0003)

2. Configure SIEM integration using Windows Event Forwarding:

Create custom XML subscription file:

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>RDP-Disconnection-Monitor</SubscriptionId>
    <Query>
        <Select Path="Security">*[System[(EventID=4779)]]</Select>
    </Query>
    <Delivery Mode="Push">
        <Batching>
            <MaxItems>1</MaxItems>
            <MaxLatencyTime>1000</MaxLatencyTime>
        </Batching>
    </Delivery>
</Subscription>

3. Set up PowerShell-based alerting script:

# Register event subscription
Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = 4779" -Action {
    $event = $Event.SourceEventArgs.NewEvent.TargetInstance
    $user = ($event.InsertionStrings)[1]
    $sourceIP = ($event.InsertionStrings)[5]
    
    # Check for suspicious patterns
    if ($sourceIP -notmatch '^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)') {
        Send-MailMessage -To "security@company.com" -From "alerts@company.com" -Subject "External RDP Disconnection Alert" -Body "User $user disconnected from external IP $sourceIP at $(Get-Date)" -SmtpServer "mail.company.com"
    }
}

4. Implement custom Windows Event Log channel for enhanced monitoring:

# Create custom event log
New-EventLog -LogName "RDPSecurity" -Source "RDPMonitor"

# Log custom security events
Write-EventLog -LogName "RDPSecurity" -Source "RDPMonitor" -EventId 1001 -EntryType Information -Message "Suspicious RDP disconnection pattern detected for user $user from IP $sourceIP"