add win_not_allowed_rdp_access.yml rule

2024-11-07 09:48:58 +00:00 · 2020-06-26 22:15:53 +00:00 · 2020-06-26 22:15:53 +00:00 · 502ec4b417
commit 502ec4b417
parent 555c94bd7e
1 changed files with 26 additions and 0 deletions
--- a/rules/windows/builtin/win_not_allowed_rdp_access.yml
+++ b/rules/windows/builtin/win_not_allowed_rdp_access.yml
@ -0,0 +1,26 @@
+title: A User Was Denied The Access To Remote Desktop
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
+    Often, this event can be generated by attackers when searching for available windows servers in the network.
+status: experimental
+tags:
+    - attack.lateral_movement
+    - attack.t1076
+references:
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+author: Pushkarev Dmitry
+date: 2020/06/27
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4825
+    condition: selection
+fields:
+    - EventCode
+    - AccountName
+    - ClientAddress
+falsepositives:
+    - Valid user was not added to RDP group
+level: medium