Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
Sigma rule (View on GitHub)
1title: Potential Remote Desktop Connection to Non-Domain Host
2id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
3status: test
4description: Detects logons using NTLM to hosts that are potentially not part of the domain.
5references:
6 - n/a
7author: James Pemberton
8date: 2020-05-22
9modified: 2021-11-27
10tags:
11 - attack.command-and-control
12 - attack.t1219.002
13logsource:
14 product: windows
15 service: ntlm
16 definition: Requires events from Microsoft-Windows-NTLM/Operational
17detection:
18 selection:
19 EventID: 8001
20 TargetName|startswith: 'TERMSRV'
21 condition: selection
22falsepositives:
23 - Host connections to valid domains, exclude these.
24 - Host connections not using host FQDN.
25 - Host connections to external legitimate domains.
26level: medium
References
Related rules
- Remote Access Tool - AnyDesk Silent Installation
- Remote Access Tool - MeshAgent Command Execution via MeshCentral
- Remote Access Tool - Potential MeshAgent Execution - MacOS
- Remote Access Tool - Potential MeshAgent Execution - Windows
- Remote Access Tool - Renamed MeshAgent Execution - MacOS