Detectionmediumtest

Denied Access To Remote Desktop

This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Pushkarev DmitryCreated Sat Jun 27Updated Sat Nov 278e5c03fa-b7f0-11ea-b242-07e0576828d9windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4825
    condition: selection

False Positives

Valid user was not added to RDP group

References

Resolving title…

ultimatewindowssecurity.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.001 · Remote Desktop Protocol

Rule Metadata

Rule ID

8e5c03fa-b7f0-11ea-b242-07e0576828d9

Status

test

Level

medium

Type

Detection

Created

Sat Jun 27

Modified

Sat Nov 27

Author

Pushkarev Dmitry

Path

rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml

Raw Tags

attack.lateral-movementattack.t1021.001

View on GitHub