frack113
27 lines
831 B
YAML
27 lines
831 B
YAML
title: Denied Access To Remote Desktop
|
|
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
|
|
status: test
|
|
description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
|
|
author: Pushkarev Dmitry
|
|
references:
|
|
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
|
|
date: 2020/06/27
|
|
modified: 2021/11/27
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID: 4825
|
|
condition: selection
|
|
fields:
|
|
- EventCode
|
|
- AccountName
|
|
- ClientAddress
|
|
falsepositives:
|
|
- Valid user was not added to RDP group
|
|
level: medium
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.t1021.001
|