Query Details
Sec Events Potential RDP Recon
Query
//Detect when a user connects to 3 or more unique devices via RDP over a 30 minute period
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where TimeGenerated > ago (1d)
| where EventID == "4624"
| where LogonType == 10
| where SubjectDomainName == TargetDomainName
//Account is dropped to lower case to make sure each account is only listed once, i.e Reprise99 and reprise99 are combined
| summarize
['Distinct device logon count']=dcount(Computer),
['List of devices']=make_set(Computer)
by tolower(Account), bin(TimeGenerated, 30m)
//Find accounts that have logged on to 3 or more unique devices in less than 30 minutes
| where ['Distinct device logon count'] >= 3Explanation
This query is looking for instances where a user connects to 3 or more different devices using Remote Desktop Protocol (RDP) within a 30-minute timeframe. It filters for Windows Security Events with Event ID 4624 and Logon Type 10. It then groups the events by the user account (ignoring case) and the 30-minute time intervals, and counts the number of unique devices the user logged into during each interval. Finally, it filters for accounts that have logged into 3 or more unique devices within the 30-minute timeframe.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
Devices,User
Operators
wheresummarizedcountmake_setbytolowerbin>=