Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 (LogonType=10), EventCode=4648 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4778, EventCode=4779 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Temporal threshold to correlate login with post-login activity (e.g., 5 minutes) |
| UserContext | Tune for non-admin users or service accounts expected to use RDP |
| ProcessList | Define suspicious post-login processes such as cmd.exe, powershell.exe, certutil.exe |
| HostAccessPatterns | Scope detection to uncommon or first-time access between source and destination hosts |