Windows RDP Connection Successful

Name:Windows RDP Connection Successful
id:ceaed840-56b3-4a70-b8e1-d762b1c5c08c
version:4
date:2024-10-17
author:Michael Haag, Splunk
status:production
type:Hunting
Description:The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.
Data_source:

• -Windows Event Log RemoteConnectionManager 1149

search:`remoteconnectionmanager` EventCode=1149
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename Computer as dest
| `windows_rdp_connection_successful_filter`

how_to_implement:The following analyic requires the WIndows TerminalServices RemoteConnectionManager Operational log to be enabled and ingested into Splunk. For the inputs, review https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706.
known_false_positives:False positives will be present, filter as needed or restrict to critical assets on the perimeter.
References:
  -https://gist.github.com/MHaggis/138c6bf563bacbda4a2524f089773706
  -https://doublepulsar.com/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Lateral Movement'
    - 'BlackByte Ransomware'
  asset_type:Endpoint
  atomic_guid:
  confidence:50
  impact:50
  message:A successful RDP connection on $dest$ occurred.
  mitre_attack_id:
    - 'T1563.002'
  observable:
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - 'EventCode'
    - 'ComputerName'
    - 'Source_Network_Address'
    - 'User'
    - 'Message'
  risk_score:25
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log
  source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  sourcetype: XmlWinEventLog
manual_test:None