A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Remote Services||Remote Desktop Protocol||Lateral Movement||Moderate|
|D3-RTSD||Remote Terminal Session Detection|
Look in the system logs for remote logons using RDP.
[EventCode] == 4624 and [AuthenticationPackageName] == 'Negotiate' and [Severity] == "Information" and [LogonType] == 10
Sigma version of the above pseudocode, with some modifications.
LogPoint version of the above pseudocode.
norm_id=WinServer event_id=4624 package="Negotiate" log_level="INFO" logon_type=10