Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
Sigma rule (View on GitHub)
1title: Potential Remote Desktop Connection to Non-Domain Host
2id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
3status: test
4description: Detects logons using NTLM to hosts that are potentially not part of the domain.
5references:
6 - n/a
7author: James Pemberton
8date: 2020-05-22
9modified: 2021-11-27
10tags:
11 - attack.command-and-control
12 - attack.t1219
13logsource:
14 product: windows
15 service: ntlm
16 definition: Requires events from Microsoft-Windows-NTLM/Operational
17detection:
18 selection:
19 EventID: 8001
20 TargetName|startswith: 'TERMSRV'
21 condition: selection
22fields:
23 - Computer
24 - UserName
25 - DomainName
26 - TargetName
27falsepositives:
28 - Host connections to valid domains, exclude these.
29 - Host connections not using host FQDN.
30 - Host connections to external legitimate domains.
31level: medium
References
Related rules
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators