Wednesday, December 30, 2015

SIEM use case - Discovering RDPs


So I had to come up with a SIEM use-case configuration, which could detect RDP sessions in the network infused with additional conditional use case clauses, which I rather not talk about ;)

It turns out that different windows events are generated if a user logs on with a new log on session and when a user connects back to a disconnected terminal (RDP) session.



Event IDs 4478, whereby the payload contains the string "RDP-Tcp"
Event IDs 4624, whereby the payload contains the string "Logon Type: 10" or "Logon Type:   10".

You see that event 4624 in pre-Win2K8 has a single space ("/s") between the colon and the number 10, while in Win2k8 and on-wards there are 3 spaces between the colon and the number 10, So better use regular expression for this filter.

Hope this is of some help.



2 comments:

  1. Thanks ... but eventID is 4778 (reconnect) and 4779 (disconnect). Both contains RDP-Tcp payload.

    ReplyDelete
  2. Yes both contains that but I think we need to look at the keyword "reconnect" as well in the payload. Thanks for that.

    ReplyDelete