SIEM use case - Discovering RDPs


So I had to come up with a SIEM use-case configuration, which could detect RDP sessions in the network infused with additional conditional use case clauses, which I rather not talk about ;)

It turns out that different windows events are generated if a user logs on with a new log on session and when a user connects back to a disconnected terminal (RDP) session.



Event IDs 4478, whereby the payload contains the string "RDP-Tcp"
Event IDs 4624, whereby the payload contains the string "Logon Type: 10" or "Logon Type:   10".

You see that event 4624 in pre-Win2K8 has a single space ("/s") between the colon and the number 10, while in Win2k8 and on-wards there are 3 spaces between the colon and the number 10, So better use regular expression for this filter.

Hope this is of some help.



Comments

  1. Thanks ... but eventID is 4778 (reconnect) and 4779 (disconnect). Both contains RDP-Tcp payload.

    ReplyDelete
  2. Yes both contains that but I think we need to look at the keyword "reconnect" as well in the payload. Thanks for that.

    ReplyDelete

Post a Comment