Merge pull request #863 from qwerty1q2w/feature

add win_not_allowed_rdp_access.yml rule
2024-11-07 09:48:58 +00:00 · 2020-06-30 10:03:11 +02:00 · 2020-06-30 10:03:11 +02:00 · ba682c5de6
commit ba682c5de6
parent 2e3669a5a4 77553e11e8
1 changed files with 26 additions and 0 deletions
--- a/rules/windows/builtin/win_not_allowed_rdp_access.yml
+++ b/rules/windows/builtin/win_not_allowed_rdp_access.yml
@ -0,0 +1,26 @@
+title: Denied Access To Remote Desktop
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
+    Often, this event can be generated by attackers when searching for available windows servers in the network.
+status: experimental
+tags:
+    - attack.lateral_movement
+    - attack.t1076
+references:
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+author: Pushkarev Dmitry
+date: 2020/06/27
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4825
+    condition: selection
+fields:
+    - EventCode
+    - AccountName
+    - ClientAddress
+falsepositives:
+    - Valid user was not added to RDP group
+level: medium