Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Detects svchost hosting RDP termsvcs communicating with the loopback address
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Detects a suspicious RDP session redirect using tscon.exe
RDP login with localhost source address may be a tunnelled login
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)