RDP-Forensic

2.2.0

A comprehensive PowerShell toolkit for RDP forensics analysis, tracking connection attempts, authentication, sessions, and logoffs across Windows Event Logs for security monitoring and incident response.

Minimum PowerShell version

5.1

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name RDP-Forensic -RequiredVersion 2.2.0

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name RDP-Forensic -Version 2.2.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2025 Jan Tiedemann. All rights reserved.

Package Details

Author(s)

  • Jan Tiedemann

Tags

RDP Forensics Security EventLog RemoteDesktop Audit Compliance Monitoring Windows Investigation

Functions

Get-RDPCurrentSessions Get-RDPForensics

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

## [2.2.0] - 2026-05-27

### Added

- Added `-DomainController` parameter to query specific Domain Controller(s)
 for Kerberos (4768-4772) and NTLM (4776) pre-authentication events remotely.
- Added `-AllDomainControllers` switch to query ALL DCs in the domain for
 complete pre-authentication event coverage.
- Added automatic secure channel DC discovery via `nltest /sc_query` when
 `-IncludeCredentialValidation` is used without explicit DC parameters.
- Added WinRM (Invoke-Command) transport with automatic RPC/DCOM fallback
 for Domain Controller event queries.
- Added DC hostname in parsed event Details for traceability.
- Added DC target display in analysis header output.
- Added `Get-RDPForensics.DomainController.Tests.ps1` test file with
 comprehensive parameter, parsing, and compatibility tests.
- Added scenarios 19-21 to `Examples.ps1` for DC query workflows.

### Changed

- `-IncludeCredentialValidation` no longer requires running on a Domain
 Controller. The tool now queries DCs remotely from any Terminal Server.
- `-DomainController` and `-AllDomainControllers` implicitly enable
 `-IncludeCredentialValidation`.
- Updated `KERBEROS_NTLM_AUTHENTICATION.md` documentation to reflect
 remote DC query capability and removed DC-only constraint.
- Updated `GETTING_STARTED.md` and `QUICK_REFERENCE.md` with new
 DC query parameters and examples.

FileList

Version History

Version Downloads Last updated
2.2.2 6 5/27/2026
2.2.1 3 5/27/2026
2.2.0 (current version) 4 5/27/2026
2.1.3 30 3/31/2026
2.1.2-previe... 3 3/31/2026
2.1.1 3 3/31/2026
2.1.0 4 3/31/2026
2.0.1-previe... 2 3/31/2026
2.0.0 12 3/31/2026
0.2.0-previe... 3 3/31/2026
0.2.0-previe... 2 3/31/2026
Show more