HomeRisk ManagementsSophos News: Investigative Queries

Sophos News: Investigative Queries

Published on

spot_img

In the realm of cybersecurity, investigators are constantly faced with the challenge of identifying Remote Desktop Protocol (RDP) artifacts during incident responses. To aid defenders in this task, a set of tools has been developed to facilitate the detection of RDP activity. This article will explore some of the key options available to defenders in this regard.

One of the first tools that defenders should familiarize themselves with is the 21-40 Local Session Login events, which can be found in the Terminal Services Local Session Manager operational event log. These events provide valuable information about connections, disconnects, reconnections, and other related activities. Additionally, the 1149 RDP Logins query is essential for detecting successful RDP connections by scanning the Terminal Services Remote Connection Manager operational event log for event ID 1149.

While these queries may seem redundant, they serve a crucial purpose in identifying potential threats. Attackers may attempt to tamper with event logs to cover their tracks, making any discrepancies between logs a significant indicator of suspicious activity. The use of multiple queries ensures a comprehensive approach to detecting RDP-related incidents.

Another valuable query that defenders can utilize is the RDP Logins from External IPs, which specifically targets RDP connections from external IP addresses. This query plays a crucial role in identifying unauthorized access attempts and suspicious behavior originating from external sources.

For defenders seeking to uncover failed login events and potential security vulnerabilities, the 4624_4625 Login Events query is a valuable tool. This query scans the security event log for 4624 events (successful logons) and 4625 events (failed logons), providing insights into network-based logons. It is particularly useful for detecting failed logins when Network Level Authentication (NLA) is enabled, shedding light on any attempted unauthorized access through RDP.

In the quest to enhance security measures and prevent potential threats, defenders can also leverage queries to identify devices with disabled NLA. Misconfigurations such as disabled NLA and DisableRestrictedAdmin settings pose significant risks to an organization’s security posture. By proactively searching for and addressing these misconfigurations, defenders can fortify their defenses and mitigate potential security breaches.

Overall, the use of targeted queries and tools is essential for defenders seeking to bolster their security posture and protect against RDP-related threats. By staying vigilant and implementing effective detection measures, organizations can enhance their incident response capabilities and safeguard their networks from malicious actors.

Source link

Latest articles

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

More like this

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...
en_USEnglish