LoFP / host connections to valid domains, exclude these.

Techniques

• t1219

Sample rules

Potential Remote Desktop Connection to Non-Domain Host

• source: sigma
• technicques:
  • t1219

Description

Detects logons using NTLM to hosts that are potentially not part of the domain.

Detection logic

condition: selection
selection:
  EventID: 8001
  TargetName|startswith: TERMSRV