Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Sigma rule (View on GitHub)
1title: Denied Access To Remote Desktop
2id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
3status: test
4description: |
5 This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
6 Often, this event can be generated by attackers when searching for available windows servers in the network.
7references:
8 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
9author: Pushkarev Dmitry
10date: 2020-06-27
11modified: 2021-11-27
12tags:
13 - attack.lateral-movement
14 - attack.t1021.001
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4825
21 condition: selection
22fields:
23 - EventCode
24 - AccountName
25 - ClientAddress
26falsepositives:
27 - Valid user was not added to RDP group
28level: medium
References
-
4825: A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group A user was denied t...
Read More
Related rules
- Hermetic Wiper TG Process Patterns
- New Remote Desktop Connection Initiated Via Mstsc.EXE
- Outbound RDP Connections Over Non-Standard Tools
- Port Forwarding Activity Via SSH.EXE
- Potential Tampering With RDP Related Registry Keys Via Reg.EXE