Privileged RDP Bypass from PMP Infrastructure

Last updated on:

About the rule

Rule Type

Advanced

Rule Description

Detects RDP initiated directly from the PMP server host outside the approved PMP session workflow. Note: Configure as an alert and restrict to the PMP auditing device to reduce false positives.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (PROCESSNAME endswith "mstsc.exe" OR ORIGINALFILENAME = "mstsc.exe") Action2: actionname = "Windows remote interactive logon" AND USERNAME = Action1.USERNAME sequence:Action1 followedby Action2 within 5m select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action2.HOSTNAME,Action2.MESSAGE,Action2.PROCESSNAME,Action2.REMOTEHOST,Action2.REMOTEIP,Action2.USERNAME,Action2.DOMAIN,Action2.NETWORKACCOUNTDOMAIN,Action2.NETWORKACCOUNTNAME,Action2.LOGONID,Action2.LOGONTYPE

Detection

Execution Mode

realtime

Log Sources

Windows