High Mean of RDP Session Duration

calendar May 28, 2024 · Use Case: Lateral Movement Detection Rule Type: ML Rule Type: Machine Learning Tactic: Lateral Movement  ·
Share on: linkedin copy

A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/12"
 3integration = ["lmd", "endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 70
 9author = ["Elastic"]
10description = """
11A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade
12detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might
13require uninterrupted access to a compromised machine.
14"""
15from = "now-12h"
16interval = "15m"
17license = "Elastic License v2"
18machine_learning_job_id = "lmd_high_mean_rdp_session_duration"
19name = "High Mean of RDP Session Duration"
20references = [
21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
22    "https://docs.elastic.co/en/integrations/lmd",
23    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
24    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
25]
26risk_score = 21
27rule_id = "a74c60cb-70ee-4629-a127-608ead14ebf1"
28setup = """## Setup
29
30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.  
31
32### Lateral Movement Detection Setup
33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
34
35#### Prerequisite Requirements:
36- Fleet is required for Lateral Movement Detection.
37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
38- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
40
41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
42- Go to the Kibana homepage. Under Management, click Integrations.
43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
44- Follow the instructions under the **Installation** section.
45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
46"""
47severity = "low"
48tags = [
49    "Use Case: Lateral Movement Detection",
50    "Rule Type: ML",
51    "Rule Type: Machine Learning",
52    "Tactic: Lateral Movement",
53]
54type = "machine_learning"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1210"
59name = "Exploitation of Remote Services"
60reference = "https://attack.mitre.org/techniques/T1210/"
61
62
63[rule.threat.tactic]
64id = "TA0008"
65name = "Lateral Movement"
66reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top