
Summary
This rule utilizes a machine learning job to detect anomalous behavior associated with Remote Desktop Protocol (RDP) connections. Specifically, it identifies instances where a high number of distinct source IPs attempt RDP connections to a single destination IP within a specified timeframe. The rationale behind this detection is that attackers often leverage multiple compromised systems to conduct lateral movement attacks, minimizing the risk of being detected and blocked. The rule operates by analyzing data over the past 12 hours with a detection interval set at 15 minutes, aiming to identify spikes that may indicate potential malicious activity. It requires the Lateral Movement Detection infrastructure to be fully configured and operational in the Elastic platform. Once a spike is detected, a series of investigative steps are recommended, including reviewing source IPs for known threats and analyzing patterns in connection attempts. Additionally, the rule accounts for potential false positives that could arise from legitimate administrative activities or automated connections, suggesting methods for exclusion if necessary.
Categories
- Network
- Endpoint
- Windows
- Cloud
Data Sources
- User Account
- Network Traffic
- Logon Session
- Process
- Script
ATT&CK Techniques
- T1210
Created: 2023-10-12