RDP Toggle Lateral Movement Detection
Query
//This query detects attempts to enable Remote Desktop using wmic rdtoggle
//Common technique in post-intrusion ransomware attacks
DeviceProcessEvents
| where FileName in ("wmic.exe")
| where ProcessCommandLine has_all ("rdtoggle", "SetAllowTSConnections", "1")
| project Timestamp, DeviceName, DeviceId, ReportId, ProcessCommandLine, InitiatingProcessCommandLineExplanation
This query is designed to identify potential security threats by detecting attempts to enable Remote Desktop on a device using a specific command-line tool, "wmic.exe." This technique is commonly used in ransomware attacks after an intruder has gained access to a system. Here's a breakdown of what the query does:
-
Data Source: It looks at events related to processes on devices (
DeviceProcessEvents). -
Filter by File Name: It specifically filters for events where the process involved is "wmic.exe."
-
Filter by Command Line: It further narrows down the results to instances where the command line includes the terms "rdtoggle," "SetAllowTSConnections," and "1." These terms indicate an attempt to enable Remote Desktop connections.
-
Select Specific Information: The query then selects and displays specific details about each detected event, including:
Timestamp: When the event occurred.DeviceName: The name of the device where the event was detected.DeviceId: The unique identifier of the device.ReportId: An identifier for the report.ProcessCommandLine: The full command line that was executed.InitiatingProcessCommandLine: The command line of the process that initiated this event.
In summary, this query helps security teams identify suspicious activities related to enabling Remote Desktop, which could be a sign of a ransomware attack in progress.
Details

Emre Ay
Released: November 10, 2024
Tables
Keywords
Operators