SigmaHQ/rules/windows/builtin/win_not_allowed_rdp_access.yml
2020-06-30 10:03:00 +02:00

27 lines
844 B
YAML

title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
status: experimental
tags:
- attack.lateral_movement
- attack.t1076
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020/06/27
logsource:
product: windows
service: security
detection:
selection:
EventID: 4825
condition: selection
fields:
- EventCode
- AccountName
- ClientAddress
falsepositives:
- Valid user was not added to RDP group
level: medium