curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity
blog/source/threat-hunting/excessive-rdp.md

981 B
Raw Blame History

title layout date
Excessive RDP page 2025-07-27

Description: Alert when a user+host RDP to at least 5 targets. Refernces: 1 SPL:

| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="mstsc.exe" BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *
| dedup host, process, user
| eval rdp_time="[".strftime(_time, "%H:%M")."] ".process
| table host, user, rdp_time
| mvcombine rdp_time
| eval RDPs=mvjoin(mvsort(rdp_time), "^"), counts=mvcount(rdp_time)
| where counts>=5
| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name
| sort host, user
| table host, user, Name, RDPs
```display multivalue separated by newline```
| makemv delim="^" RDPs