High Variance in RDP Session Duration
A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/12"
3integration = ["lmd", "endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8anomaly_threshold = 70
9author = ["Elastic"]
10description = """
11A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to
12evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that
13might require uninterrupted access to a compromised machine.
14"""
15from = "now-12h"
16interval = "15m"
17license = "Elastic License v2"
18machine_learning_job_id = "lmd_high_var_rdp_session_duration"
19name = "High Variance in RDP Session Duration"
20references = [
21 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
22 "https://docs.elastic.co/en/integrations/lmd",
23 "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
24 "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
25]
26risk_score = 21
27rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a"
28setup = """## Setup
29
30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
31
32### Lateral Movement Detection Setup
33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
34
35#### Prerequisite Requirements:
36- Fleet is required for Lateral Movement Detection.
37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
38- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
40
41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
42- Go to the Kibana homepage. Under Management, click Integrations.
43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
44- Follow the instructions under the **Installation** section.
45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
46"""
47severity = "low"
48tags = [
49 "Use Case: Lateral Movement Detection",
50 "Rule Type: ML",
51 "Rule Type: Machine Learning",
52 "Tactic: Lateral Movement",
53 "Resources: Investigation Guide",
54]
55type = "machine_learning"
56note = """## Triage and analysis
57
58> **Disclaimer**:
59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
60
61### Investigating High Variance in RDP Session Duration
62
63Remote Desktop Protocol (RDP) enables remote access to systems, facilitating legitimate administrative tasks. However, adversaries exploit prolonged RDP sessions to maintain persistent access, often for lateral movement within networks. The detection rule leverages machine learning to identify anomalies in session duration, flagging potential misuse by highlighting sessions with unusually high variance, which may indicate malicious activity.
64
65### Possible investigation steps
66
67- Review the specific RDP session details, including the start and end times, to understand the duration and identify any patterns or anomalies in session length.
68- Correlate the flagged RDP session with user activity logs to determine if the session aligns with known user behavior or scheduled administrative tasks.
69- Investigate the source and destination IP addresses involved in the RDP session to identify any unusual or unauthorized access points.
70- Check for any concurrent alerts or logs indicating lateral movement or other suspicious activities originating from the same source or targeting the same destination.
71- Analyze the user account associated with the RDP session for any signs of compromise, such as recent password changes, failed login attempts, or unusual access times.
72- Review the network traffic during the RDP session for any signs of data exfiltration or communication with known malicious IP addresses.
73
74### False positive analysis
75
76- Long RDP sessions for legitimate administrative tasks can trigger false positives. To manage this, identify and whitelist IP addresses or user accounts associated with routine administrative activities.
77- Scheduled maintenance or updates often require extended RDP sessions. Exclude these sessions by setting time-based exceptions during known maintenance windows.
78- Automated scripts or tools that require prolonged RDP access for monitoring or data collection can be mistaken for anomalies. Document and exclude these processes by recognizing their unique session patterns.
79- Remote support sessions from trusted third-party vendors may appear as high variance. Establish a list of trusted vendor IPs or accounts to prevent these from being flagged.
80- Training or demonstration sessions that involve extended RDP use should be accounted for by creating exceptions for specific user groups or departments involved in such activities.
81
82### Response and remediation
83
84- Immediately isolate the affected system from the network to prevent further lateral movement and potential data exfiltration.
85- Terminate the suspicious RDP session to disrupt any ongoing unauthorized activities.
86- Conduct a thorough review of the affected system for signs of compromise, including checking for unauthorized user accounts, installed software, and changes to system configurations.
87- Reset credentials for any accounts that were accessed during the suspicious RDP session to prevent further unauthorized access.
88- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
89- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on RDP connections and lateral movement patterns.
90- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1210"
95name = "Exploitation of Remote Services"
96reference = "https://attack.mitre.org/techniques/T1210/"
97
98
99[rule.threat.tactic]
100id = "TA0008"
101name = "Lateral Movement"
102reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating High Variance in RDP Session Duration
Remote Desktop Protocol (RDP) enables remote access to systems, facilitating legitimate administrative tasks. However, adversaries exploit prolonged RDP sessions to maintain persistent access, often for lateral movement within networks. The detection rule leverages machine learning to identify anomalies in session duration, flagging potential misuse by highlighting sessions with unusually high variance, which may indicate malicious activity.
Possible investigation steps
- Review the specific RDP session details, including the start and end times, to understand the duration and identify any patterns or anomalies in session length.
- Correlate the flagged RDP session with user activity logs to determine if the session aligns with known user behavior or scheduled administrative tasks.
- Investigate the source and destination IP addresses involved in the RDP session to identify any unusual or unauthorized access points.
- Check for any concurrent alerts or logs indicating lateral movement or other suspicious activities originating from the same source or targeting the same destination.
- Analyze the user account associated with the RDP session for any signs of compromise, such as recent password changes, failed login attempts, or unusual access times.
- Review the network traffic during the RDP session for any signs of data exfiltration or communication with known malicious IP addresses.
False positive analysis
- Long RDP sessions for legitimate administrative tasks can trigger false positives. To manage this, identify and whitelist IP addresses or user accounts associated with routine administrative activities.
- Scheduled maintenance or updates often require extended RDP sessions. Exclude these sessions by setting time-based exceptions during known maintenance windows.
- Automated scripts or tools that require prolonged RDP access for monitoring or data collection can be mistaken for anomalies. Document and exclude these processes by recognizing their unique session patterns.
- Remote support sessions from trusted third-party vendors may appear as high variance. Establish a list of trusted vendor IPs or accounts to prevent these from being flagged.
- Training or demonstration sessions that involve extended RDP use should be accounted for by creating exceptions for specific user groups or departments involved in such activities.
Response and remediation
- Immediately isolate the affected system from the network to prevent further lateral movement and potential data exfiltration.
- Terminate the suspicious RDP session to disrupt any ongoing unauthorized activities.
- Conduct a thorough review of the affected system for signs of compromise, including checking for unauthorized user accounts, installed software, and changes to system configurations.
- Reset credentials for any accounts that were accessed during the suspicious RDP session to prevent further unauthorized access.
- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on RDP connections and lateral movement patterns.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
References
Related rules
- High Mean of Process Arguments in an RDP Session
- High Mean of RDP Session Duration
- Spike in Number of Connections Made from a Source IP
- Spike in Number of Connections Made to a Destination IP
- Spike in Number of Processes in an RDP Session