Name:Windows RDPClient Connection Sequence Events id:67340df1-3f1d-4470-93c8-9ac7249d11b0 version:1 date:2024-11-21 author:Michael Haag, Splunk status:production type:Anomaly Description:This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out. Data_source:
-Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
search:`wineventlog_rdp` EventCode=1024 | rename host as dest | stats count as "Event Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages by dest, source, LogName, EventCode, category | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rdpclient_connection_sequence_events_filter`
how_to_implement:To successfully implement this detection, ensure Windows RDP Client Operational logs are being collected and forwarded to Splunk. Enable logging for "Microsoft-Windows-TerminalServices-RDPClient/Operational", via a new inputs.conf input. See references for more details. known_false_positives:Legitimate RDP connections from authorized administrators and users will generate these events. To reduce false positives, you should baseline normal RDP connection patterns in your environment, whitelist expected RDP connection chains between known administrative workstations and servers, and track authorized remote support sessions. References: -https://gist.github.com/MHaggis/acd5dcbf1d4fb705b77f0a48e772eefc -https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Spearphishing Attachments' asset_type:Endpoint confidence:70 impact:10 message:A Windows RDP client initiated a connection sequence event (EventCode 1024) on host $dest$. mitre_attack_id: - 'T1133' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'host' - 'source' - 'LogName' - 'EventCode' - 'category' risk_score:7 security_domain:endpoint cve:
