Privileged Credential Pivot from PMP Infrastructure
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
Detects explicit credential use with RDP from the PMP server host outside the approved PMP session workflow. Note:Configure as an alert and restrict to the PMP auditing device to reduce false positives.
Severity
Critical
Rule Requirement
Criteria
Action1:
actionname = "Process started" AND (PROCESSNAME endswith "mstsc.exe" OR ORIGINALFILENAME = "mstsc.exe")
Action2:
actionname = "Windows remote interactive logon" AND USERNAME != Action1.USERNAME
sequence:Action1 followedby Action2 within 10m
select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.HOSTNAME,Action2.MESSAGE,Action2.PROCESSNAME,Action2.REMOTEHOST,Action2.REMOTEIP,Action2.USERNAME,Action2.DOMAIN,Action2.NETWORKACCOUNTDOMAIN,Action2.NETWORKACCOUNTNAME,Action2.LOGONID,Action2.LOGONTYPE
Detection
Execution Mode
scheduled
Log Sources
Windows


