Detection: Windows RDPClient Connection Sequence Events

Updated Date: 2024-11-21 ID: 67340df1-3f1d-4470-93c8-9ac7249d11b0 Author: Michael Haag, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.

1`wineventlog_rdp` EventCode=1024 
2| rename host as dest 
3| stats count as "Event Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages by dest, source, LogName, EventCode, category 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `windows_rdpclient_connection_sequence_events_filter`

Data Source

Name Platform Sourcetype Source
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 Windows icon Windows 'WinEventLog' 'WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_rdpclient_connection_sequence_events_filter search *
windows_rdpclient_connection_sequence_events_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1133 External Remote Services Initial Access
KillChainPhase.DELIVERY
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
APT18
APT28
APT29
APT41
Akira
Chimera
Dragonfly
Ember Bear
FIN13
FIN5
GALLIUM
GOLD SOUTHFIELD
Ke3chang
Kimsuky
LAPSUS$
Leviathan
OilRig
Play
Sandworm Team
Scattered Spider
TeamTNT
Threat Group-3390
Volt Typhoon
Wizard Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To successfully implement this detection, ensure Windows RDP Client Operational logs are being collected and forwarded to Splunk. Enable logging for "Microsoft-Windows-TerminalServices-RDPClient/Operational", via a new inputs.conf input. See references for more details.

Known False Positives

Legitimate RDP connections from authorized administrators and users will generate these events. To reduce false positives, you should baseline normal RDP connection patterns in your environment, whitelist expected RDP connection chains between known administrative workstations and servers, and track authorized remote support sessions.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
A Windows RDP client initiated a connection sequence event (EventCode 1024) on host $dest$. 7 10 70
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational WinEventLog
Integration ✅ Passing Dataset WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational WinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1