Archive

RDP Session Daisy Chain

New Member

Hello,

I am trying to form a script that will parse information to detect RDP sessions that are Daisy Chained over our network.

Example:

src=* dest=* dest_port=3389 | transaction dest startswith=(src)

src=w.x.y.z. dest=1.2.3.4 destport-3389
scr=1.2.3.4 dest=a.b.c.d dest
port=3389

The problem is continuing the search to find multiple jumps and listing the multiple IPS.

0 Karma

Champion

You need duration or end time in addition to start time to consider doing this.

It's also going to be difficult to do this in a "normal" Splunk search. I did something somewhat similar with mail logs. Specifically I had to write a custom search command that followed tree-like data, which is what your use case really needs.

0 Karma