Detection rules › Kusto Query Language

Multiple RDP connections from Single System

Author: Microsoft Security Research
Source: upstream

'Identifies when an RDP connection is made to multiple systems and above the normal connection count for the previous 7 days. Connections from the same system with the same account within the same day. RDP connections are indicated by the EventID 4624 with LogonType = 10'

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1021` Remote Services

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 2 branches

Stage 3: `join`

Stage 4: `extend`

Stage 5: `where`

Ratio gt "threshold"

Stage 6: `project`

Stage 7: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Ratio`	gt	`threshold`

Multiple RDP connections from Single System

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: union

Stage 3: join

Stage 4: extend

Stage 5: where

Stage 6: project

Stage 7: extend