-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2016-04-005.yaml
39 lines (39 loc) · 1.42 KB
/
CAR-2016-04-005.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
title: Remote Desktop Logon
submission_date: 2016/04/19
information_domain: Host
platforms:
- Windows
subtypes:
- Login
analytic_types:
- Situational Awareness
contributors:
- MITRE/NSA
id: CAR-2016-04-005
description: 'A remote desktop logon, through [RDP](https://attack.mitre.org/techniques/T1021/001), may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.'
coverage:
- technique: T1021
tactics:
- TA0008
subtechniques:
- T1021.001
coverage: Moderate
implementations:
- description: 'Look in the system logs for remote logons using RDP.'
code: |-
[EventCode] == 4624 and
[AuthenticationPackageName] == 'Negotiate' and
[Severity] == "Information" and
[LogonType] == 10
type: pseudocode
- description: '[Sigma version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_admin_rdp_login.yml) of the above pseudocode, with some modifications.'
type: Sigma
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WinServer event_id=4624 package="Negotiate" log_level="INFO" logon_type=10
type: LogPoint
data_mode: LogPoint native
d3fend_mappings:
- iri: d3f:RemoteTerminalSessionDetection
id: D3-RTSD
label: Remote Terminal Session Detection