Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Sigma rule (View on GitHub)
1title: Denied Access To Remote Desktop
2id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
3status: test
4description: |
5 This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
6 Often, this event can be generated by attackers when searching for available windows servers in the network.
7references:
8 - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
9author: Pushkarev Dmitry
10date: 2020/06/27
11modified: 2021/11/27
12tags:
13 - attack.lateral_movement
14 - attack.t1021.001
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4825
21 condition: selection
22fields:
23 - EventCode
24 - AccountName
25 - ClientAddress
26falsepositives:
27 - Valid user was not added to RDP group
28level: medium
References
Related rules
- DCERPC SMB Spoolss Named Pipe
- Impacket PsExec Execution
- Persistence and Execution at Scale via GPO Scheduled Task
- Remote Service Activity via SVCCTL Named Pipe
- Remote Task Creation via ATSVC Named Pipe