Unusual Windows Remote User

edit

A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.

Rule type: machine_learning

Machine learning job: v3_windows_rare_user_type10_remote_login

Machine learning anomaly threshold: 50

Severity: low

Risk score: 21

Runs every: 15 minutes

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • ML
  • Initial Access

Version: 7 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.

Investigation guide

edit
## Triage and analysis

### Investigating an Unusual Windows User
Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 7 (8.4.0 release)
  • Formatting only
Version 6 (8.3.0 release)
  • Formatting only
Version 5 (7.13.0 release)
  • Formatting only
Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.10.0 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Formatting only