Detectionhightest

RDP Login from Localhost

RDP login with localhost source address may be a tunnelled login

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Thomas PatzkeCreated Mon Jan 28Updated Sun Oct 0951e33403-2a37-4d66-a574-1fda1782cc31windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4624
        LogonType: 10
        IpAddress:
            - '::1'
            - '127.0.0.1'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

fireeye.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.001 · Remote Desktop Protocol

CAR Analytics

2013-07-002 · CAR 2013-07-002

Rule Metadata

Rule ID

51e33403-2a37-4d66-a574-1fda1782cc31

Status

test

Level

high

Type

Detection

Created

Mon Jan 28

Modified

Sun Oct 09

Author

Thomas Patzke

Path

rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml

Raw Tags

attack.lateral-movementcar.2013-07-002attack.t1021.001

View on GitHub