High Mean of RDP Session Duration

A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/10/12"
  3integration = ["lmd", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 70
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade
 12detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might
 13require uninterrupted access to a compromised machine.
 14"""
 15from = "now-12h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "lmd_high_mean_rdp_session_duration"
 19name = "High Mean of RDP Session Duration"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/lmd",
 23    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
 24    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
 25]
 26risk_score = 21
 27rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1"
 28setup = """## Setup
 29
 30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
 31
 32### Lateral Movement Detection Setup
 33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Lateral Movement Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
 39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 40
 41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Lateral Movement Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Lateral Movement",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating High Mean of RDP Session Duration
 62
 63Remote Desktop Protocol (RDP) enables remote access to systems, facilitating administrative tasks. However, adversaries exploit prolonged RDP sessions to maintain persistent access, potentially conducting lateral movements undetected. The 'High Mean of RDP Session Duration' detection rule leverages machine learning to identify anomalies in session lengths, flagging potential misuse indicative of malicious activity.
 64
 65### Possible investigation steps
 66
 67- Review the specific RDP session details, including the start and end times, to understand the duration and identify any patterns or anomalies in session lengths.
 68- Correlate the flagged RDP session with user activity logs to determine if the session aligns with expected user behavior or if it deviates from normal patterns.
 69- Check for any concurrent or subsequent suspicious activities, such as file transfers or command executions, that might indicate lateral movement or data exfiltration.
 70- Investigate the source and destination IP addresses involved in the RDP session to identify if they are known, trusted, or associated with any previous security incidents.
 71- Analyze the user account involved in the RDP session for any signs of compromise, such as recent password changes, failed login attempts, or unusual access patterns.
 72- Review any recent changes in the network or system configurations that might have affected RDP session durations or security settings.
 73
 74### False positive analysis
 75
 76- Extended RDP sessions for legitimate administrative tasks can trigger false positives. To manage this, identify and whitelist IP addresses or user accounts associated with routine administrative activities.
 77- Scheduled maintenance or software updates often require prolonged RDP sessions. Exclude these activities by setting time-based exceptions during known maintenance windows.
 78- Remote support sessions from trusted third-party vendors may appear as anomalies. Create exceptions for these vendors by verifying their IP addresses and adding them to an allowlist.
 79- Training sessions or demonstrations using RDP can result in longer session durations. Document and exclude these events by correlating them with scheduled training times and user accounts involved.
 80- Automated scripts or processes that maintain RDP sessions for monitoring purposes can be mistaken for threats. Identify these scripts and exclude their associated user accounts or machine names from the detection rule.
 81
 82### Response and remediation
 83
 84- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 85- Terminate any suspicious or unauthorized RDP sessions to cut off potential adversary access.
 86- Conduct a thorough review of user accounts and permissions on the affected system to identify and disable any compromised accounts.
 87- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
 88- Restore the system from a known good backup if any unauthorized changes or malware are detected.
 89- Monitor network traffic and logs for any signs of further exploitation attempts or related suspicious activity.
 90- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1210"
 95name = "Exploitation of Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1210/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0008"
101name = "Lateral Movement"
102reference = "https://attack.mitre.org/tactics/TA0008/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating High Mean of RDP Session Duration

Remote Desktop Protocol (RDP) enables remote access to systems, facilitating administrative tasks. However, adversaries exploit prolonged RDP sessions to maintain persistent access, potentially conducting lateral movements undetected. The 'High Mean of RDP Session Duration' detection rule leverages machine learning to identify anomalies in session lengths, flagging potential misuse indicative of malicious activity.

Possible investigation steps

  • Review the specific RDP session details, including the start and end times, to understand the duration and identify any patterns or anomalies in session lengths.
  • Correlate the flagged RDP session with user activity logs to determine if the session aligns with expected user behavior or if it deviates from normal patterns.
  • Check for any concurrent or subsequent suspicious activities, such as file transfers or command executions, that might indicate lateral movement or data exfiltration.
  • Investigate the source and destination IP addresses involved in the RDP session to identify if they are known, trusted, or associated with any previous security incidents.
  • Analyze the user account involved in the RDP session for any signs of compromise, such as recent password changes, failed login attempts, or unusual access patterns.
  • Review any recent changes in the network or system configurations that might have affected RDP session durations or security settings.

False positive analysis

  • Extended RDP sessions for legitimate administrative tasks can trigger false positives. To manage this, identify and whitelist IP addresses or user accounts associated with routine administrative activities.
  • Scheduled maintenance or software updates often require prolonged RDP sessions. Exclude these activities by setting time-based exceptions during known maintenance windows.
  • Remote support sessions from trusted third-party vendors may appear as anomalies. Create exceptions for these vendors by verifying their IP addresses and adding them to an allowlist.
  • Training sessions or demonstrations using RDP can result in longer session durations. Document and exclude these events by correlating them with scheduled training times and user accounts involved.
  • Automated scripts or processes that maintain RDP sessions for monitoring purposes can be mistaken for threats. Identify these scripts and exclude their associated user accounts or machine names from the detection rule.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
  • Terminate any suspicious or unauthorized RDP sessions to cut off potential adversary access.
  • Conduct a thorough review of user accounts and permissions on the affected system to identify and disable any compromised accounts.
  • Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
  • Restore the system from a known good backup if any unauthorized changes or malware are detected.
  • Monitor network traffic and logs for any signs of further exploitation attempts or related suspicious activity.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation.

References

Related rules

to-top