Event ID: 4648

• Contains process name "C:\Windows\System32\mstsc.exe"

  • indicator for user machine with outbound RDP connections detected.

  • can be mapped to Mitre T1076.

  • can be traces of lateral movement.

• Event Message contains "*/TERMSRV/*"

  • Known as RDP outbound connection from end user machine.

  • Indicator of possible lateral movement

• Process name "C:\Windows\System32\sc.exe"

  • shows remote machine services are queried and executed

  • indicator of possible lateral movement

  • can be mapped to T1021/T1035

• Threat actor persistence with new service account with alternate credentials were 4648 at the time of the incident.

  • this can include other services running with specific account other than local system or network service.

  • This can be mapped to mitre T1050.

• Threat actors can use valid accounts to interact with remote machines.

  • They can interact remote machines by taking advantage of Distributed Component Object Model (DCOM)

  • This is mostly using RPC calls. This can request a service from a program located in another computer on the network.

  • check if the event contains "RPCSS/"

  • Can be mapped to T1021/T1175

• Inbound RDP connections can be used by threat actors.

  • process name "Winlogon.exe" and Network address is not empty or equal to loopback address.

  • This can be associated with interactive logon activity (logon type equals 10 or 7)

  • Can be mapped to T1076.

• Possible windows admin share access.

  • includes command prompt commands.

  • e.g. x:\target/user:server\admin01

  • and process ID "0x4"

  • can be mapped to mitre T1077.

• Contains Process Name "wmic.exe"

  • Indicator of lateral movement with Windows Management Instrumentation.

  • Can be mapped to T1047.