Detectionmediumtest

Potential Remote Desktop Connection to Non-Domain Host

Detects logons using NTLM to hosts that are potentially not part of the domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

James PembertonCreated Fri May 22Updated Sat Nov 27ce5678bb-b9aa-4fb5-be4b-e57f686256adwindows

Log Source

Windowsntlm

ProductWindows← raw: windows

Servicentlm← raw: ntlm

Definition

Requires events from Microsoft-Windows-NTLM/Operational

Detection Logic

detection:
    selection:
        EventID: 8001
        TargetName|startswith: 'TERMSRV'
    condition: selection

False Positives

Host connections to valid domains, exclude these.

Host connections not using host FQDN.

Host connections to external legitimate domains.

References

Resolving title…

n/a

MITRE ATT&CK

Tactics

Other

attack.t1219.002

Rule Metadata

Rule ID

ce5678bb-b9aa-4fb5-be4b-e57f686256ad

Status

test

Level

medium

Type

Detection

Created

Fri May 22

Modified

Sat Nov 27

Author

Path

rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml

Raw Tags

attack.command-and-controlattack.t1219.002