Detection rules › Splunk
Windows RDP Connection Successful
The following analytic detects successful Remote Desktop Protocol (RDP) connections by monitoring EventCode 1149 from the Windows TerminalServices RemoteConnectionManager Operational log. This detection is significant as successful RDP connections can indicate remote access to a system, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Monitoring successful RDP connections is crucial for identifying potential security breaches and mitigating risks promptly.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Lateral Movement | T1563.002 Remote Service Session Hijacking: RDP Hijacking |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| TerminalServices-RemoteConnectionManager | 1149 | Remote Desktop Services: User authentication succeeded. |
Stages and Predicates
Stage 1: search
search EventCode=1149
Stage 2: stats
stats BY Computer, user_id
Stage 3: search
search
Stage 4: search
search
Stage 5: rename
rename
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|