Techniques
Sample rules
Windows RDP Connection Successful
- source: splunk
- technicques:
- T1563.002
Description
The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf.
Detection logic
`remoteconnectionmanager` EventCode=1149
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename Computer as dest
| `windows_rdp_connection_successful_filter`