Techniques
Sample rules
Denied Access To Remote Desktop
- source: sigma
- technicques:
- t1021
- t1021.001
Description
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Detection logic
condition: selection
selection:
EventID: 4825