Raiders of the Lost RDP: The Haag Crusade

[MHaggis]

Enhanced RDP Security Monitoring Suite

This PR introduces a comprehensive set of detections and supporting components for monitoring Windows Remote Desktop Protocol (RDP) activities, enhancing our ability to detect potential lateral movement and unauthorized remote access.

New Detections

1. Windows RDP File Execution

• Monitors execution of .rdp files from high-risk directories
• Focuses on temp folders, download directories, and Outlook temporary locations
• Helps identify potential spear-phishing campaigns using malicious RDP files

2. Windows RDPClient Connection Sequence Events

• Tracks RDP ClientActiveX connection attempts (Event ID 1024)
• Provides visibility into initial connection sequences
• Helps identify unusual remote access patterns and potential lateral movement

Infrastructure Additions

New Data Source

• Added support for Microsoft-Windows-TerminalServices-RDPClient/Operational logs
• Specifically tracking Event ID 1024 for connection sequence monitoring
• Enhances visibility into RDP client-side activities

New Macro

• Introduced wineventlog_rdp macro for standardized RDP event querying
• Improves consistency across RDP-related detections
• Simplifies future RDP detection development

Screenshots

• Added detection screenshots for validation and documentation
• Demonstrates expected data presentation and field mapping

Windows RDP File Execution

Windows RDPClient Connection Sequence Events

Testing

• Validated against Attack Range dataset
• Confirmed detection of RDP connection sequences
• Verified file execution monitoring capabilities

[mvelazc0]

cool use case buddy !

[pyth0n1c]

Reviewed and approved after some minor typo updates.
Will merge after CI completes :)