Techniques
Sample rules
Windows RDP Connection Successful
- source: splunk
- technicques:
- T1563.002
Description
The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.
Detection logic
`remoteconnectionmanager` EventCode=1149
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename Computer as dest
| `windows_rdp_connection_successful_filter`