/
Anomalous RDP Activity.yaml
35 lines (35 loc) · 1.29 KB
/
Anomalous RDP Activity.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
id: c01d95d3-ee85-4e7f-9aed-e62356f1de76
name: Anomalous RDP Activity
description: |
'Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP).
The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment.'
requiredDataConnectors:
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
tactics:
- LateralMovement
relevantTechniques:
- T1021
query: |
BehaviorAnalytics
| where ActivityType =~ "LogOn"
| where ActionType =~ "RemoteInteractiveLogon"
| where ActivityInsights has "True"
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
| extend Name=split(UserPrincipalName, "@")[0], UPNSuffix=split(UserPrincipalName, "@")[1]
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = SourceIPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIPAddress
version: 2.0.0