Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
Sigma rule (View on GitHub)
1title: Potential Remote Desktop Connection to Non-Domain Host
2id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
3status: test
4description: Detects logons using NTLM to hosts that are potentially not part of the domain.
5references:
6 - n/a
7author: James Pemberton
8date: 2020/05/22
9modified: 2021/11/27
10tags:
11 - attack.command_and_control
12 - attack.t1219
13logsource:
14 product: windows
15 service: ntlm
16 definition: Requires events from Microsoft-Windows-NTLM/Operational
17detection:
18 selection:
19 EventID: 8001
20 TargetName|startswith: 'TERMSRV'
21 condition: selection
22fields:
23 - Computer
24 - UserName
25 - DomainName
26 - TargetName
27falsepositives:
28 - Host connections to valid domains, exclude these.
29 - Host connections not using host FQDN.
30 - Host connections to external legitimate domains.
31level: medium
References
Related rules
- Suspicious LDAP-Attributes Used
- DNS TXT Answer with Possible Execution Strings
- Default Cobalt Strike Certificate
- Executable from Webdav
- Remote File Copy