RDP Login from Localhost

RDP login with localhost source address may be a tunnelled login

Sigma rule (View on GitHub)

 1title: RDP Login from Localhost
 2id: 51e33403-2a37-4d66-a574-1fda1782cc31
 3status: test
 4description: RDP login with localhost source address may be a tunnelled login
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
 7author: Thomas Patzke
 8date: 2019/01/28
 9modified: 2022/10/09
10tags:
11    - attack.lateral_movement
12    - car.2013-07-002
13    - attack.t1021.001
14logsource:
15    product: windows
16    service: security
17detection:
18    selection:
19        EventID: 4624
20        LogonType: 10
21        IpAddress:
22            - '::1'
23            - '127.0.0.1'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top