LoFP / uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.

Techniques

• T1078

Sample rules

Unusual Windows Remote User

• source: elastic
• technicques:
  • T1078

Description

A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.

Detection logic