Unusual Time or Day for an RDP Session Detected by Machine Learning

This alert originates from a machine learning job designed to detect anomalous RDP session start times. RDP is a common vector for lateral movement, and attackers may initiate sessions during off-peak hours to evade detection. The machine learning model flags sessions started outside of normal business hours or on unusual weekdays. While not inherently malicious, this activity warrants investigation as it can be an early indicator of a broader attack. The rule is part of the Lateral Movement Detection (LMD) integration from Elastic, requiring a minimum stack version of 9.4.0 and leverages Entity Analytics (EA) fields. Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events using Elastic’s Anomaly Detection feature.

Attack Chain

1. An attacker gains initial access to a system, possibly through compromised credentials or a software vulnerability (not described in source).
2. The attacker leverages RDP to attempt lateral movement to other systems within the network.
3. The RDP session is initiated at an unusual time or day, deviating from typical user behavior.
4. The machine learning job detects this anomaly based on the unusual RDP session start time.
5. An alert is triggered, flagging the potentially suspicious activity.
6. The attacker may attempt to access sensitive data or resources on the target system.
7. The attacker could install malware or establish persistence mechanisms (not described in source).

Impact

A successful lateral movement attack can allow an attacker to gain access to sensitive data, compromise critical systems, and ultimately disrupt business operations. While the detection of an unusual RDP session is an early warning sign, it is critical to investigate these alerts promptly to prevent further escalation. If the suspicious RDP session is part of a broader attack, the impact could range from data theft to ransomware deployment. The lack of immediate action could lead to significant financial and reputational damage.

Recommendation

• Enable host IP collection within Elastic Defend if using versions 8.18 and above, following the configuration steps in the helper guide.
• Ensure the Lateral Movement Detection integration assets are installed, as well as file and Windows RDP process events collected by the Elastic Defend integration, as mentioned in the setup instructions.
• Investigate all alerts generated by the “Unusual Time or Day for an RDP Session” rule, correlating the RDP session with other security events.
• Tune the anomaly threshold (currently 70) to reduce false positives while maintaining effective detection capabilities.