Denied Access To Remote Desktop

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Sigma rule (View on GitHub)

 1title: Denied Access To Remote Desktop
 2id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
 3status: test
 4description: |
 5  This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
 6  Often, this event can be generated by attackers when searching for available windows servers in the network.  
 7references:
 8    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
 9author: Pushkarev Dmitry
10date: 2020/06/27
11modified: 2021/11/27
12tags:
13    - attack.lateral_movement
14    - attack.t1021.001
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 4825
21    condition: selection
22fields:
23    - EventCode
24    - AccountName
25    - ClientAddress
26falsepositives:
27    - Valid user was not added to RDP group
28level: medium

References

Related rules

to-top