I am trying to form a script that will parse information to detect RDP sessions that are Daisy Chained over our network.
src=* dest=* dest_port=3389 | transaction dest startswith=(src)
src=w.x.y.z. dest=22.214.171.124 dest_port-3389
scr=126.96.36.199 dest=a.b.c.d dest_port=3389
The problem is continuing the search to find multiple jumps and listing the multiple IPS.
... View more