Rule: Adjusted RDP login from localhost rule level

2024-11-07 01:45:21 +00:00 · 2019-01-29 14:04:10 +01:00 · 2019-01-29 14:04:10 +01:00 · a2eac623a6
commit a2eac623a6
parent c9ec469180
1 changed files with 4 additions and 2 deletions
--- a/rules/windows/builtin/win_rdp_localhost_login.yml
+++ b/rules/windows/builtin/win_rdp_localhost_login.yml
@ -2,6 +2,8 @@ title: RDP Login from localhost
 description: RDP login with localhost source address may be a tunnelled login
 references:
    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+date: 2019/01/28
+modified: 2019/01/29
 tags:
    - attack.lateral_movement
 status: experimental
@ -18,5 +20,5 @@ detection:
            - "127.0.0.1"
    condition: selection
 falsepositives:
-    - Legitimate administration
-level: low
+    - Unknown
+level: high