30 строки
1.1 KiB
YAML
30 строки
1.1 KiB
YAML
id: c01d95d3-ee85-4e7f-9aed-e62356f1de76
|
|
name: Anomalous RDP Activity
|
|
description: |
|
|
'Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).
|
|
The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment.'
|
|
requiredDataConnectors:
|
|
- connectorId: BehaviorAnalytics
|
|
dataTypes:
|
|
- BehaviorAnalytics
|
|
tactics:
|
|
- LateralMovement
|
|
relevantTechniques:
|
|
-
|
|
query: |
|
|
|
|
BehaviorAnalytics
|
|
| where ActivityType == "LogOn"
|
|
| where ActionType == "RemoteInteractiveLogon"
|
|
| where ActivityInsights has "True"
|
|
| project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: UserPrincipalName
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: SourceIPAddress |