RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
Sigma rule (View on GitHub)
1title: RDP Login from Localhost
2id: 51e33403-2a37-4d66-a574-1fda1782cc31
3status: test
4description: RDP login with localhost source address may be a tunnelled login
5references:
6 - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
7author: Thomas Patzke
8date: 2019-01-28
9modified: 2022-10-09
10tags:
11 - attack.lateral-movement
12 - car.2013-07-002
13 - attack.t1021.001
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4624
20 LogonType: 10
21 IpAddress:
22 - '::1'
23 - '127.0.0.1'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand...
Read More
Related rules
- Outbound RDP Connections Over Non-Standard Tools
- RDP Over Reverse SSH Tunnel
- RDP over Reverse SSH Tunnel WFP
- RDP to HTTP or HTTPS Target Ports
- Suspicious RDP Redirect Using TSCON