KQL Search

Query Details

HomeAI ToolsDevice Query

Hunt Devices Doing First Rdp Session

Query

# *Hunt for devices doing first RDP session*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1021.001 | Remote Services: Remote Desktop Protocol | https://attack.mitre.org/techniques/T1021/001/ |

#### Description
This hunting query can help you find devices doing an RDP connection for the first time in 30 days. While this can be normal behavior, it might be interesting to look at why this device is suddenly doing an RDP connection. 

#### Risk
By investigating these devices, you might find an attacker performing lateral movement over RDP from an end-user device.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com/detecting-non-privileged-windows-hello-abuse/

## Defender XDR
```KQL
let historic_rdp_devices = toscalar(
    DeviceNetworkEvents
    | where Timestamp > ago (30d)
    | where ActionType == "ConnectionSuccess"
    | where RemotePort == 3389
    | summarize make_set(DeviceId)
);
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where ActionType == "ConnectionSuccess"
| where RemotePort == 3389
| where DeviceId !in (historic_rdp_devices)
```

## Sentinel
```KQL
let historic_rdp_devices = toscalar(
    DeviceNetworkEvents
    | where TimeGenerated > ago (30d)
    | where ActionType == "ConnectionSuccess"
    | where RemotePort == 3389
    | summarize make_set(DeviceId)
);
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == "ConnectionSuccess"
| where RemotePort == 3389
| where DeviceId !in (historic_rdp_devices)
```

Explanation

This query is designed to identify devices that are making a Remote Desktop Protocol (RDP) connection for the first time in the past 30 days. The purpose is to detect potentially suspicious activity, such as an attacker using RDP to move laterally within a network.

Here's a simplified breakdown of the query:

  1. Historic RDP Devices: The query first creates a list of devices that have successfully made RDP connections (on port 3389) in the last 30 days. This is done by checking the DeviceNetworkEvents for any "ConnectionSuccess" actions on port 3389 and compiling a set of device IDs.

  2. Current RDP Connections: It then looks at RDP connections made in the last hour, again checking for "ConnectionSuccess" actions on port 3389.

  3. New RDP Devices: The query filters out any devices from the current connections that are already in the historic list. This leaves only those devices that are connecting via RDP for the first time in the last 30 days.

By focusing on these new RDP connections, security teams can investigate whether these connections are legitimate or if they might indicate unauthorized access or lateral movement by an attacker.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: April 26, 2025

Tables

DeviceNetworkEvents

Keywords

Devices

Operators

lettoscalar|where>ago==summarizemake_set!in

Actions