Windows RDP Connection Successful
Description
The following analytic identifies successful remote desktop connections. Utilize this analytic to hunt for successful attempts. In addition, the query may be modified for EventCode=1148 to potentially identify failed attempts. In testing, 1148 would not generate based on a failed logon attempt. Note this analytic requires enabling and a stanza in a inputs.conf.
- Type: Hunting
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-04-17
- Author: Michael Haag, Splunk
- ID: ceaed840-56b3-4a70-b8e1-d762b1c5c08c
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
`remoteconnectionmanager` EventCode=1149
| stats count min(_time) as firstTime max(_time) as lastTime by ComputerName, Source_Network_Address, User, Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename ComputerName as dest
| `windows_rdp_connection_successful_filter`
Macros
The SPL above uses the following Macros:
windows_rdp_connection_successful_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- EventCode
- ComputerName
- Source_Network_Address
- User
- Message
How To Implement
The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.
Known False Positives
False positives will be present, filter as needed or restrict to critical assets on the perimeter.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
25.0 | 50 | 50 | A successful RDP connection on $dest$ occurred. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706
- https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1