A short tip for administrators of Windows systems who perform forensic analyses with regard to logon processes. Windows events with event ID 4624 have a numeric code that indicates the type of logon (or logon attempt).
Microsoft employee Jessica Payne is a member of the Defender security team. On Twitter she explains the meaning of various codes in short tweets.
Logon type 10: this is a typical RDP alert meaning that terminal services was engaged for the logon. 3rd party software like virtualization consoles and screen share can also generate it. Means credentials were in memory (lsass) and also hit cached credentials.
— Jessica Payne (@jepayneMSFT) 29. Juni 2018
Just click on the tweet, then the whole thread should be displayed. Perhaps this is useful for some of you.