From 2e8920e2e893eb4259e428eae94f3d63c3c672b0 Mon Sep 17 00:00:00 2001 From: sbousseaden Date: Sat, 24 Aug 2019 23:20:15 +0200 Subject: [PATCH 1/3] Add files via upload --- .../T1076-rdp-tunneling_logon.toml | 17 +++++++++++++++++ .../T1076-rdp-tunneling_network.toml | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml create mode 100644 eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml diff --git a/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml new file mode 100644 index 0000000..99482a3 --- /dev/null +++ b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml @@ -0,0 +1,17 @@ +[analytic.metadata] +categories = ["detect"] +confidence = "high" +contributors = ["SBousseaden"] +created_date = "8/24/2019" +description = "RDP Tunneling via SSH is a common technique to control interactively compromised systems behind a FW via RDP Protocol" +id = "3abf86e1-3ba3-4473-90ea-5fc37ff57d19" +name = "RDP Tunneling - Logon Event" +os = ["windows"] +tactics = ["Lateral Movement", "Connection Proxy"] +techniques = ["T1076"] + + +[analytic] +query = ''' +security where event_id==4624 and (logon_type==3 or logon_type==10) and (ip_address=="127.0.*" or ip_address=="::1") and target_user_name!="*$" +''' diff --git a/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml new file mode 100644 index 0000000..0d5807a --- /dev/null +++ b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml @@ -0,0 +1,17 @@ +[analytic.metadata] +categories = ["detect"] +confidence = "medium" +contributors = ["SBousseaden"] +created_date = "8/24/2019" +description = "RDP Tunneling via SSH is a common technique to control interactively compromised systems behind a FW via RDP Protocol" +id = "3abf86e1-3ba3-4473-90ea-5fc37ff57d19" +name = "RDP Tunneling - Network Event" +os = ["windows"] +tactics = ["Lateral Movement", "Connection Proxy"] +techniques = ["T1076"] + + +[analytic] +query = ''' +network where source_port==3389 and (destination_address=="127.0.*" or destination_address=="::1") +''' From 5b505d5ef4c638724f27b1d51b3c03fcf14a2a1d Mon Sep 17 00:00:00 2001 From: sbousseaden Date: Sat, 24 Aug 2019 23:21:04 +0200 Subject: [PATCH 2/3] Update T1076-rdp-tunneling_network.toml --- .../analytics/lateral-movement/T1076-rdp-tunneling_network.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml index 0d5807a..2ad4bf6 100644 --- a/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml +++ b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_network.toml @@ -4,7 +4,7 @@ confidence = "medium" contributors = ["SBousseaden"] created_date = "8/24/2019" description = "RDP Tunneling via SSH is a common technique to control interactively compromised systems behind a FW via RDP Protocol" -id = "3abf86e1-3ba3-4473-90ea-5fc37ff57d19" +id = "3abf86e1-3ba3-4473-90ea-5fc37ff57d20" name = "RDP Tunneling - Network Event" os = ["windows"] tactics = ["Lateral Movement", "Connection Proxy"] From f58fb09ae76af9d4be2232b8aca479ee915f9d9d Mon Sep 17 00:00:00 2001 From: sbousseaden Date: Thu, 4 Jun 2020 17:33:20 +0200 Subject: [PATCH 3/3] Update T1076-rdp-tunneling_logon.toml --- .../analytics/lateral-movement/T1076-rdp-tunneling_logon.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml index 99482a3..f008f06 100644 --- a/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml +++ b/eqllib/analytics/lateral-movement/T1076-rdp-tunneling_logon.toml @@ -13,5 +13,5 @@ techniques = ["T1076"] [analytic] query = ''' -security where event_id==4624 and (logon_type==3 or logon_type==10) and (ip_address=="127.0.*" or ip_address=="::1") and target_user_name!="*$" +security where event_id==4624 and logon_type==10 and (ip_address=="127.0.*" or ip_address=="::1") and target_user_name!="*$" '''