Event ID: 4648

Contains process name "C:\Windows\System32\mstsc.exe"
- indicator for user machine with outbound RDP connections detected.
- can be mapped to Mitre T1076.
- can be traces of lateral movement.
Event Message contains "*/TERMSRV/*"
- Known as RDP outbound connection from end user machine.
- Indicator of possible lateral movement
Process name "C:\Windows\System32\sc.exe"
- shows remote machine services are queried and executed
- indicator of possible lateral movement
- can be mapped to T1021/T1035
Threat actor persistence with new service account with alternate credentials were 4648 at the time of the incident.
- this can include other services running with specific account other than local system or network service.
- This can be mapped to mitre T1050.
Threat actors can use valid accounts to interact with remote machines.
- They can interact remote machines by taking advantage of Distributed Component Object Model (DCOM)
- This is mostly using RPC calls. This can request a service from a program located in another computer on the network.
- check if the event contains "RPCSS/"
- Can be mapped to T1021/T1175
Inbound RDP connections can be used by threat actors.
- process name "Winlogon.exe" and Network address is not empty or equal to loopback address.
- This can be associated with interactive logon activity (logon type equals 10 or 7)
- Can be mapped to T1076.
Possible windows admin share access.
- includes command prompt commands.
- e.g. x:\target/user:server\admin01
- and process ID "0x4"
- can be mapped to mitre T1077.
Contains Process Name "wmic.exe"
- Indicator of lateral movement with Windows Management Instrumentation.
- Can be mapped to T1047.

Previousevent Summary NextEvent ID: 4776

Last updated 1 year ago

Event ID: 4648

Contains process name "C:\Windows\System32\mstsc.exe"
- indicator for user machine with outbound RDP connections detected.
- can be mapped to Mitre T1076.
- can be traces of lateral movement.
Event Message contains "*/TERMSRV/*"
- Known as RDP outbound connection from end user machine.
- Indicator of possible lateral movement
Process name "C:\Windows\System32\sc.exe"
- shows remote machine services are queried and executed
- indicator of possible lateral movement
- can be mapped to T1021/T1035
Threat actor persistence with new service account with alternate credentials were 4648 at the time of the incident.
- this can include other services running with specific account other than local system or network service.
- This can be mapped to mitre T1050.
Threat actors can use valid accounts to interact with remote machines.
- They can interact remote machines by taking advantage of Distributed Component Object Model (DCOM)
- This is mostly using RPC calls. This can request a service from a program located in another computer on the network.
- check if the event contains "RPCSS/"
- Can be mapped to T1021/T1175
Inbound RDP connections can be used by threat actors.
- process name "Winlogon.exe" and Network address is not empty or equal to loopback address.
- This can be associated with interactive logon activity (logon type equals 10 or 7)
- Can be mapped to T1076.
Possible windows admin share access.
- includes command prompt commands.
- e.g. x:\target/user:server\admin01
- and process ID "0x4"
- can be mapped to mitre T1077.
Contains Process Name "wmic.exe"
- Indicator of lateral movement with Windows Management Instrumentation.
- Can be mapped to T1047.

Previousevent Summary NextEvent ID: 4776

Last updated 1 year ago