Unusual Windows Remote User

calendar Aug 22, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Rule Type: ML Rule Type: Machine Learning Tactic: Initial Access  ·
Share on: linkedin copy

A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover
14or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual
15usernames.
16"""
17false_positives = [
18    """
19    Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual
20    troubleshooting or reconfiguration.
21    """,
22]
23from = "now-45m"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login"]
27name = "Unusual Windows Remote User"
28note = """## Triage and analysis
29
30### Investigating an Unusual Windows User
31Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
32- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
33- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?"""
34references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
35risk_score = 21
36rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9"
37severity = "low"
38tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"]
39type = "machine_learning"
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1078"
45name = "Valid Accounts"
46reference = "https://attack.mitre.org/techniques/T1078/"
47
48
49[rule.threat.tactic]
50id = "TA0001"
51name = "Initial Access"
52reference = "https://attack.mitre.org/tactics/TA0001/"```

Triage and analysis

Investigating an Unusual Windows User

Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:

  • Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
  • Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?

References

Related rules

to-top