SIEM use case - Discovering RDPs

December 30, 2015

SIEM use case - Discovering RDPs

So I had to come up with a SIEM use-case configuration, which could detect RDP sessions in the network infused with additional conditional use case clauses, which I rather not talk about ;)

It turns out that different windows events are generated if a user logs on with a new log on session and when a user connects back to a disconnected terminal (RDP) session.

Event IDs 4478, whereby the payload contains the string "RDP-Tcp"
Event IDs 4624, whereby the payload contains the string "Logon Type: 10" or "Logon Type: 10".

You see that event 4624 in pre-Win2K8 has a single space ("/s") between the colon and the number 10, while in Win2k8 and on-wards there are 3 spaces between the colon and the number 10, So better use regular expression for this filter.

Hope this is of some help.

Comments

AnonymousApril 9, 2016 at 6:43 PM
Thanks ... but eventID is 4778 (reconnect) and 4779 (disconnect). Both contains RDP-Tcp payload.
ReplyDelete
Replies
malwarenailedApril 21, 2016 at 9:40 AM
Yes both contains that but I think we need to look at the keyword "reconnect" as well in the payload. Thanks for that.
ReplyDelete
Replies

Add comment

Search This Blog

Deriving Cyber Threat Intelligence and Driving Threat Hunting

SIEM use case - Discovering RDPs

Comments

Post a Comment

Popular Posts

Cynet Incident Response Challenge 2020 WriteUp

PebbleDash - Lazarus / HiddenCobra RAT