Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Raiders of the Lost RDP: The Haag Crusade #3211

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

Raiders of the Lost RDP: The Haag Crusade #3211

wants to merge 7 commits into from
+226 −0

Conversation

MHaggis
Copy link
Contributor

@MHaggis MHaggis commented Nov 25, 2024

Enhanced RDP Security Monitoring Suite

This PR introduces a comprehensive set of detections and supporting components for monitoring Windows Remote Desktop Protocol (RDP) activities, enhancing our ability to detect potential lateral movement and unauthorized remote access.

New Detections

1. Windows RDP File Execution

  • Monitors execution of .rdp files from high-risk directories
  • Focuses on temp folders, download directories, and Outlook temporary locations
  • Helps identify potential spear-phishing campaigns using malicious RDP files

2. Windows RDPClient Connection Sequence Events

  • Tracks RDP ClientActiveX connection attempts (Event ID 1024)
  • Provides visibility into initial connection sequences
  • Helps identify unusual remote access patterns and potential lateral movement

Infrastructure Additions

New Data Source

  • Added support for Microsoft-Windows-TerminalServices-RDPClient/Operational logs
  • Specifically tracking Event ID 1024 for connection sequence monitoring
  • Enhances visibility into RDP client-side activities

New Macro

  • Introduced wineventlog_rdp macro for standardized RDP event querying
  • Improves consistency across RDP-related detections
  • Simplifies future RDP detection development

Screenshots

  • Added detection screenshots for validation and documentation
  • Demonstrates expected data presentation and field mapping

Windows RDP File Execution

image

Windows RDPClient Connection Sequence Events

image

Testing

  • Validated against Attack Range dataset
  • Confirmed detection of RDP connection sequences
  • Verified file execution monitoring capabilities

@mvelazc0
Copy link
Contributor

cool use case buddy !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench left review comments

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Datasource Detections Macros
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MHaggis @mvelazc0 @nasbench