feat(threat-hunting): Excessive RDP

source/threat-hunting/index.md

@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-02-16
+updated: 2025-02-26
 ---
 
 Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@@ -621,6 +621,28 @@ SPL:
 | table Domain, category, Referrer, total_count, src_list, src_host, users, Name, Email
 ```
 
+## Excessive RDP
+
+Description: Alert when a user+host RDP to at least 5 targets.
+Refernces: [1](https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/#lateral-movement)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="mstsc.exe" BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *
+| dedup host, process, user
+| eval rdp_time="[".strftime(_time, "%H:%M")."] ".process
+| table host, user, rdp_time
+| mvcombine rdp_time
+| eval RDPs=mvjoin(mvsort(rdp_time), "^"), counts=mvcount(rdp_time)
+| where counts>=5
+| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name
+| sort host, user
+| table host, user, Name, RDPs
+```display multivalue separated by newline```
+| makemv delim="^" RDPs
+```
+
 ## Gootloader IOC
 
 References: [1](https://redcanary.com/blog/gootloader/)