detection.wiki

Detection rules › Kusto Query Language

Remote Desktop Network Brute force (ASIM Network Session schema)

Source
upstream

'This detection identifies RDP application network traffic and filters any source/destination pair generating more than 25 events hard threshold.'

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1110 Brute Force

Event coverage

ProviderEvent IDTitle
Sysmon3Network connection
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.

Stages and Predicates

Stage 1: source

_Im_NetworkSession

Stage 2: where

and
  not
     macro "ipv4_is_private(SrcIpAddr)"
  SrcIpAddr ne "DstIpAddr"
   macro "(tostring(DstPortNumber) has_any \"3389\")"

Stage 3: summarize

Stage 4: where

Eventscount ge "25"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Eventscountge
  • 25
SrcIpAddrne
  • DstIpAddr