/
investigate_successful_remote_desktop_authentications.yml
39 lines (39 loc) · 1.52 KB
/
investigate_successful_remote_desktop_authentications.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Investigate Successful Remote Desktop Authentications
id: b6618e8e-be04-40a0-a0b9-f0bd4b6c81bc
version: 1
date: '2018-12-14'
author: Jose Hernandez, Splunk
type: Investigation
datamodel:
- Authentication
description: 'This search returns the source, destination, and user for all successful
remote-desktop authentications. A successful authentication after a brute-force
attack on a destination machine is suspicious behavior. '
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Authentication where Authentication.signature_id=4624
Authentication.app=win:remote by Authentication.src Authentication.dest Authentication.app
Authentication.user Authentication.signature Authentication.src_nt_domain | `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)` | `drop_dm_object_name("Authentication")`
| search dest=$dest$ | table firstTime lastTime src src_nt_domain dest user app
count | sort count'
how_to_implement: You must be populating the Authentication data model with security
events from your Windows event logs.
known_false_positives: ''
references: []
tags:
analytic_story:
- Hidden Cobra Malware
- Active Directory Lateral Movement
- SamSam Ransomware
product:
- Splunk Phantom
required_fields:
- _time
- Authentication.signature_id
- Authentication.app
- Authentication.src
- Authentication.dest
- Authentication.user
- Authentication.signature
- Authentication.src_nt_domain
security_domain: endpoint