← Back to Explore
sigmamediumHunting
Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
Detection Query
selection:
EventID: 8001
TargetName|startswith: TERMSRV
condition: selection
Author
James Pemberton
Created
2020-05-22
Data Sources
windowsntlm
Platforms
windows
References
Tags
attack.command-and-controlattack.t1219.002
Raw Content
title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: test
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
- n/a
author: James Pemberton
date: 2020-05-22
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: ntlm
definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8001
TargetName|startswith: 'TERMSRV'
condition: selection
falsepositives:
- Host connections to valid domains, exclude these.
- Host connections not using host FQDN.
- Host connections to external legitimate domains.
level: medium