Unusual Windows Remote User
editUnusual Windows Remote User
editA machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.
Rule type: machine_learning
Machine learning job: windows_rare_user_type10_remote_login
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- ML
Version: 3 (version history)
Added (Elastic Stack release): 7.7.0
Last modified (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editUncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.
Investigation guide
editAlerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
- Consider the user as identified by the username field. Is the user part of a group who normally logs in to Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?
Rule version history
edit- Version 3 (7.10.0 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
- Formatting only