LoFP / legitimate rdp connections from authorized administrators and users will generate these events. to reduce false positives, you should baseline normal rdp connection patterns in your environment, whitelist expected rdp connection chains between known administrative workstations and servers, and track authorized remote support sessions.

Techniques

• T1133

Sample rules

Windows RDPClient Connection Sequence Events

• source: splunk
• technicques:
  • T1133

Description

This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.

Detection logic

`wineventlog_rdp` EventCode=1024 
| rename host as dest 
| stats count as "Event Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages by dest, source, LogName, EventCode, category 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_rdpclient_connection_sequence_events_filter`