update RDP rules

Yamato-Security · Nov 10, 2024 · cba5d02 · cba5d02
1 parent 85e80d9
commit cba5d02
Show file tree

Hide file tree

Showing 8 changed files with 111 additions and 49 deletions.
diff --git a/...ocalSessManager_21_Info_RDS-SessLogon.yml → ...Op/LocalSessManager_21_Info_RDP-Logon.yml b/...ocalSessManager_21_Info_RDS-SessLogon.yml → ...Op/LocalSessManager_21_Info_RDP-Logon.yml
@@ -1,10 +1,18 @@
 author: Zach Mathis
 date: 2022/12/07
-modified: 2022/12/07
+modified: 2024/11/10
 
-title: RDS Sess Logon
-details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%'
-description:
+title: RDP Logon
+details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%'
+description: |
+    This event is created when a new local session is created for either a local or remote interactive login when a user successfully authenticates and there is no existing local session.
+    This event will be created when a user logs on for the first time or after a logout but not after just a disconnect because the session will still exist.
+    In that case, a reconnect event will be created.
+    The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins.
+    Note that local sessions are different from logon sessions.
+    Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. 
+    SrcIP will be an IP address if it is a remote session and "LOCAL" if it is a local session.
+    This event gives the same information in Remote Connection Manager 1149, Local Session Manager 22 and Security 4648.
 
 id: b107551c-409d-44b8-bb0d-3b007c269881
 level: informational
@@ -22,6 +30,11 @@ tags:
     - RDP
     - attack.lateral_movement
 references:
+    - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_21/
+    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
+    - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
+    - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee891131(v=ws.10)?redirectedfrom=MSDN
 ruletype: Hayabusa
 
 sample-message: |

diff --git a/...ssManager_22_Info_RDS-SessStart_Noisy.yml → ...ssManager_22_Info_RDP-SessStart_Noisy.yml b/...ssManager_22_Info_RDS-SessStart_Noisy.yml → ...ssManager_22_Info_RDP-SessStart_Noisy.yml
@@ -1,10 +1,19 @@
 author: Zach Mathis
 date: 2022/12/07
-modified: 2022/12/16
+modified: 2024/11/10
 
-title: 'RDS Sess Start (Noisy)'
-details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%'
-description:
+title: 'RDP Sess Start (Noisy)'
+details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%'
+description: |
+    This event is created when a new local session is created for either a local or remote interactive login.
+    Original event message: “Shell start notification received”
+    The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins.
+    Note that local sessions are different from logon sessions.
+    Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. 
+    Event 22 is created when a new local session needs to be created.
+    That happens after a user successfully authenticates for a local or remote interactive logon session and the user does not already have an existing local session.
+    This event follows a Local Session Manager 21 event.
+    This event gives the same information in Remote Connection Manager 1149, Local Session Manager 21 and Security 4648.
 
 id: 320e2cb0-a56a-476f-a299-79dc45644fee
 level: informational
@@ -22,6 +31,11 @@ tags:
     - RDP
     - attack.lateral_movement
 references:
+    - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_22/
+    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
+    - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
+    - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ee891214(v=ws.10)
 ruletype: Hayabusa
 
 sample-message: |

diff --git a/...calSessManager_23_Info_RDS-SessLogoff.yml → ...p/LocalSessManager_23_Info_RDP-Logoff.yml b/...calSessManager_23_Info_RDS-SessLogoff.yml → ...p/LocalSessManager_23_Info_RDP-Logoff.yml
@@ -1,10 +1,10 @@
 author: Zach Mathis
 date: 2022/12/07
-modified: 2022/12/07
+modified: 2024/11/10
 
-title: RDS Sess Logoff
-details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID%'
-description:
+title: RDP Logoff
+details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID%'
+description: Event 23 is created when a local session logs off. That happens after a user successfully logs off a local or remote interactive logon session. Not just a disconnect.
 
 id: e14a729f-f4f8-427b-a238-dfbde9c1614b
 level: informational
@@ -22,6 +22,11 @@ tags:
     - RDP
     - attack.lateral_movement
 references:
+    - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_23/
+    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
+    - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
+    - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee891131(v=ws.10)?redirectedfrom=MSDN
 ruletype: Hayabusa
 
 sample-message: |

diff --git a/...alSessManager_24_Info_RDS-SessDisconn.yml → ...calSessManager_24_Info_RDP-Disconnect.yml b/...alSessManager_24_Info_RDS-SessDisconn.yml → ...calSessManager_24_Info_RDP-Disconnect.yml
@@ -1,10 +1,13 @@
 author: Zach Mathis
 date: 2022/12/07
-modified: 2022/12/07
+modified: 2024/11/10
 
-title: RDS Sess Disconnect
-details: 'User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%'
-description:
+title: RDP Disconnect
+details: 'TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%'
+description: |
+    Event 24 is created when a local session disconnects. That happens after a user successfully logs off or disconnects a local or remote interactive logon session.
+    This event immediately follows a EID 23 RDP Logoff event.
+    This event has the same information as EID 23 and Security EID 4634.
 
 id: 3fc6234f-93a5-4d48-b618-30e2c69c0a86
 level: informational
@@ -22,6 +25,11 @@ tags:
     - RDP
     - attack.lateral_movement
 references:
+    - https://www.cybertriage.com/artifact/terminalservices_localsessionmanager_log/terminalservices_localsessionmanager_operational_24/
+    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
+    - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
+    - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee891131(v=ws.10)?redirectedfrom=MSDN
 ruletype: Hayabusa
 
 sample-message: |

diff --git a/...calSessManager_25_Info_RDS-SessReconn.yml → ...ocalSessManager_25_Info_RDP-Reconnect.yml b/...calSessManager_25_Info_RDS-SessReconn.yml → ...ocalSessManager_25_Info_RDP-Reconnect.yml
@@ -1,8 +1,9 @@
 author: Fukusuke Takahashi
 date: 2024/11/03
+modified: 2024/11/10
 
-title: RDS Sess Reconnect
-details: "User: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%"
+title: RDP Reconnect
+details: "TgtUser: %UserDataUser% ¦ SessID: %UserDataSessionID% ¦ SrcIP: %UserDataAddress%"
 description:
 references:
   - https://jpcertcc.github.io/ToolAnalysisResultSheet_jp/details/mstsc.htm

diff --git a/.../RemoteConnManger_1149_Info_RDS-Logon.yml → ...ConnManger_1149_Info_RDP-LogonAttempt.yml b/.../RemoteConnManger_1149_Info_RDS-Logon.yml → ...ConnManger_1149_Info_RDP-LogonAttempt.yml
@@ -1,10 +1,17 @@
 author: Zach Mathis
 date: 2022/12/07
-modified: 2022/12/07
+modified: 2024/11/10
 
-title: RDS Logon
-details: 'User: %UserDataParam1% ¦ Domain: %UserDataParam2% ¦ SrcIP: %UserDataParam3%'
-description: 'Logon for RDS (Remote Desktop Services). Formerly known as Terminal Services. Similar to RDP.'
+title: RDP Logon
+details: 'TgtUser: %UserDataParam1% ¦ Domain: %UserDataParam2% ¦ SrcIP: %UserDataParam3%'
+description: |
+    Logon for RDS (Remote Desktop Services). Formerly known as Terminal Services.
+    Uses RDP so I am refering to these as RDP Logons as that is what most people will expect.
+    On newer OSes (Win 7+, 2012+), this event is logged only when a user successfully logs on to a RDP session.
+    On older OSes (Vista, 2008), this event is logged when a user logs on to a RDP session, regardless of success.
+    This event might be be created when rdesktop is used as a client and NLA is disabled.
+    User and domain names are empty if the server is configured with Restricted Admin.
+    Information in this event is also found in the Security event log.
 
 id: e91c514e-08c5-4c42-96d7-ab1f5668a2f7
 level: informational
@@ -21,7 +28,15 @@ falsepositives:
 tags:
     - RDP
     - attack.lateral_movement
+    - attack.initial_access
 references:
+    - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/terminalservices_remoteconnectionmanager_operational_1149/
+    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
+    - http://blog.kiddaland.net/2015/02/remote-desktop-connections-terminal.html
+    - https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
+    - https://port139.hatenablog.com/entry/2019/03/23/091740
+    - https://digitalforensicsurvivalpodcast.com/2023/01/31/dfsp-363-rdp-forensics/
+    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee907328(v=ws.10)?redirectedfrom=MSDN
 ruletype: Hayabusa
 
 sample-message: |

diff --git a/.../TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDP-Conn_Noisy.yml b/.../TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDP-Conn_Noisy.yml
@@ -0,0 +1,33 @@
+author: Zach Mathis
+date: 2022/12/07
+modified: 2024/11/10
+
+title: 'RDP Conn (Noisy)'
+details: ''
+description: |
+    This event is generated when anyone connects to RDP and sends data. It does not need to be a legitimate RDP connection.
+    Unfortunately, there are no details about the remote machine.
+    This event is noisy and will generate a lot of logs and is of limited investigative value.
+    If you see a large number of these events, but not successful logon events with EID 1149, etc... then it may indicate a brute force attack.
+    The Security event log will have more information so this event is only useful if the Security event logs are not available.
+
+id: 6dbed1df-f08a-47ab-9a58-999c0787d034
+level: informational
+status: stable
+logsource:
+    product: windows
+detection:
+    selection:
+        Channel: 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'
+        EventID: 261
+    condition: selection
+falsepositives:
+    - administrator
+tags:
+    - RDP
+    - attack.lateral_movement
+references:
+    - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/terminalservices_remoteconnectionmanager_operational_261/
+ruletype: Hayabusa
+
+sample-message: 'Listener RDP-Tcp received a connection'
diff --git a/.../TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDS-Conn_Noisy.yml b/.../TerminalServices-RemoteConnectionManager_Op/RemoteConnManger_261_Info_RDS-Conn_Noisy.yml