rdp gateways may have unusually high amounts of traffic from all other hosts' rdp applications in the network.

t1021
t1021.001
endpoint
splunk

Techniques

T1021
T1021.001

Sample rules

Remote Desktop Network Bruteforce

source: splunk
technicques:
- T1021.001
- T1021

Description

This search looks for RDP application network traffic and filters any source/destination pair generating more than twice the standard deviation of the average traffic.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src All_Traffic.dest All_Traffic.dest_port 
| eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 
| where count>(avg + stdev*2) 
| rename All_Traffic.src AS src All_Traffic.dest AS dest 
| table firstTime lastTime src dest count avg p50 stdev 
| `remote_desktop_network_bruteforce_filter`