forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathidentify_systems_using_remote_desktop.yml
More file actions
34 lines (34 loc) · 1.03 KB
/
identify_systems_using_remote_desktop.yml
File metadata and controls
34 lines (34 loc) · 1.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: Identify Systems Using Remote Desktop
id: 063dfe9f-b1d7-4254-a16d-1e2e7eadd6a8
version: 1
date: '2019-04-01'
author: David Dorsey, Splunk
type: Baseline
datamodel:
- Endpoint
description: This search counts the numbers of times the remote desktop process, mstsc.exe,
has run on each system.
search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes
where Processes.process_name="*mstsc.exe*" by Processes.dest Processes.process_name
| `drop_dm_object_name(Processes)` | sort - count'
how_to_implement: To successfully implement this search you must be ingesting endpoint
data that records process activity.
known_false_positives: none
references: []
tags:
analytic_story:
- SamSam Ransomware
- Ryuk Ransomware
- Hidden Cobra Malware
- Active Directory Lateral Movement
detections:
- Remote Desktop Network Traffic
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process_name
- Processes.dest
security_domain: endpoint