Unusual Time or Day for an RDP Session

  1[metadata]
  2creation_date = "2023/10/12"
  3integration = ["lmd", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 70
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual
 12time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger
 13attack.
 14"""
 15from = "now-12h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "lmd_unusual_time_weekday_rdp_session_start"
 19name = "Unusual Time or Day for an RDP Session"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/lmd",
 23    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
 24    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
 25]
 26risk_score = 21
 27rule_id = "3f4e2dba-828a-452a-af35-fe29c5e78969"
 28setup = """## Setup
 29
 30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
 31
 32### Lateral Movement Detection Setup
 33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Lateral Movement Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
 39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 40
 41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Lateral Movement Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Lateral Movement",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Unusual Time or Day for an RDP Session
 62
 63Remote Desktop Protocol (RDP) enables remote access to systems, crucial for IT management but also a target for adversaries seeking unauthorized access. Attackers exploit RDP by initiating sessions at odd hours to avoid detection. The detection rule leverages machine learning to identify atypical RDP session timings, flagging potential lateral movement attempts for further investigation.
 64
 65### Possible investigation steps
 66
 67- Review the timestamp of the RDP session to determine the specific unusual time or day it was initiated, and correlate it with known business hours or scheduled maintenance windows.
 68- Identify the source and destination IP addresses involved in the RDP session to determine if they are internal or external, and check for any known associations with previous security incidents.
 69- Examine the user account used to initiate the RDP session, verifying if it is a legitimate account and if the login aligns with the user's typical behavior or role within the organization.
 70- Check for any additional suspicious activities or alerts involving the same user account or IP addresses around the time of the unusual RDP session, such as failed login attempts or access to sensitive files.
 71- Investigate any recent changes or anomalies in the network or system configurations that could have facilitated the unusual RDP session, such as newly opened ports or modified firewall rules.
 72- Consult logs from other security tools or systems, such as SIEM or endpoint detection and response (EDR) solutions, to gather more context on the RDP session and any related activities.
 73
 74### False positive analysis
 75
 76- Regular maintenance activities by IT staff during off-hours can trigger false positives. Identify and document these activities to create exceptions in the detection rule.
 77- Scheduled automated tasks or scripts that initiate RDP sessions at unusual times may be misclassified. Review and whitelist these tasks to prevent unnecessary alerts.
 78- Time zone differences for remote employees accessing systems outside of standard business hours can lead to false positives. Adjust detection parameters to account for these time zone variations.
 79- Third-party vendors or contractors who require access at non-standard times should be documented and their access patterns reviewed to establish exceptions.
 80- Emergency access situations where IT staff need to respond to critical incidents outside normal hours should be logged and considered when analyzing alerts.
 81
 82### Response and remediation
 83
 84- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 85- Terminate the suspicious RDP session to halt any ongoing unauthorized activities.
 86- Conduct a thorough review of the affected system's logs and processes to identify any malicious activities or changes made during the session.
 87- Reset credentials for any accounts accessed during the unusual RDP session to prevent further unauthorized use.
 88- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
 89- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
 90- Implement enhanced monitoring on the affected system and related network segments to detect any further suspicious activities or attempts at unauthorized access."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1210"
 95name = "Exploitation of Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1210/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0008"
101name = "Lateral Movement"
102reference = "https://attack.mitre.org/tactics/TA0008/"