IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Unusual Windows Remote User
editUnusual Windows Remote User
editA machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.
Rule type: machine_learning
Machine learning job: windows_rare_user_type10_remote_login
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time)
Maximum signals per execution: 100
References:
Tags:
- Elastic
- ML
- Windows
Version: 1
Added (Elastic Stack release): 7.7.0
Potential false positives
editUncommon username activity can be due to an engineer logging in to a server instance in order to perform manual troubleshooting or reconfiguration.
Investigation guide
editSignals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:
- Consider the user as identified by the username field. Is the user part of a group who normally logs in to Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?
- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?