LoFP / remote desktop may be used legitimately by users on the network.

Techniques

• T1021
• T1021.001

Sample rules

Remote Desktop Network Traffic

• source: splunk
• technicques:
  • T1021.001
  • T1021

Description

The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker’s attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=3389 AND All_Traffic.dest_category!=common_rdp_destination AND All_Traffic.src_category!=common_rdp_source AND All_Traffic.action="allowed" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port 
| `drop_dm_object_name("All_Traffic")` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `remote_desktop_network_traffic_filter`

Remote Desktop Process Running On System

• source: splunk
• technicques:
  • T1021.001
  • T1021

Description

The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name(Processes)` 
| `remote_desktop_process_running_on_system_filter`