title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: experimental
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
    - n/a
author: James Pemberton
date: 2020/05/22
tags:
    - attack.command_and_control
    - attack.t1219
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8001
        TargetName|startswith: TERMSRV
    condition: selection
fields:
    - Computer
    - UserName
    - DomainName
    - TargetName
falsepositives:
    - Host connections to valid domains, exclude these.
    - Host connections not using host FQDN.
    - Host connections to external legitimate domains.
level: medium