{"id":24193,"date":"2024-03-20T11:21:07","date_gmt":"2024-03-20T19:21:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17923\/"},"modified":"2024-03-20T11:21:07","modified_gmt":"2024-03-20T19:21:07","slug":"news-17923","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17923\/","title":{"rendered":"Remote Desktop Protocol: Executing the External RDP Query"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Wed, 20 Mar 2024 16:09:06 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\" width=\"100%\" height=\"420\">\n<p><span data-contrast=\"auto\">The function of the RDP Logins from External IPs.sql query is fairly self-explanatory, based on the name. In this post, we\u2019ll use it to look for successful RDP connections that have taken place from external IP addresses \u2013 that is, anything that&#8217;s non-RFC 1918. For the sake of this demonstration, we\u2019ll do the work of building and executing the query itself through our own Sophos Central service, but the basics hold true no matter the investigation tool. As an alternative, the \u201cExecuting the External RDP Query\u201d video linked below shows the relevant steps, rather than describing them as we do here.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"100%\" height=\"420\" src=\"https:\/\/www.youtube.com\/embed\/hGKvzkb47JA?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\" frameborder=\"0\"><\/iframe><\/span><\/p>\n<p><b><span data-contrast=\"auto\">Building and executing the query<\/span><\/b><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The first step is to create the query, which in Sophos Central you\u2019ll do in<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Threat Analysis Center &gt; Live Discover &gt; Designer Mode<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">by clicking the Create new query button, as shown in Figure 1.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-954243\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-01.png\" alt=\"A screen capture showing the Live Discover screen as the user creates a new query\" width=\"640\" height=\"295\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-01.png 1651w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-01.png?resize=300,138 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-01.png?resize=768,354 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-01.png?resize=1024,471 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-01.png?resize=1536,707 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><i><span data-contrast=\"auto\">Figure 1: Navigating to the query-creation button<\/span><\/i><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Clicking the button leads to a screen with a SQL box, into which you\u2019ll paste the following query (also available <\/span><a href=\"https:\/\/github.com\/SophosRapidResponse\/OSQuery\/tree\/main\/Artefacts\/Logins\"><span data-contrast=\"none\">on our Github<\/span><\/a><span data-contrast=\"auto\">):<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<pre><span data-contrast=\"auto\">SELECT<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">strftime('%Y-%m-%dT%H:%M:%SZ',datetime) AS date_time,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">eventid,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">CASE eventid<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0 WHEN 21 THEN eventid || ' - Session logon succeeded'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0 WHEN 22 THEN eventid || ' - Shell start notification received'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0 WHEN 25 THEN eventid || ' - Session reconnection successful'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0 ELSE NULL<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">END AS description,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">JSON_EXTRACT(data, '$.UserData.User') AS username,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">SUBSTR(JSON_EXTRACT(data, '$.UserData.User'), 1, INSTR(JSON_EXTRACT(data, '$.UserData.User'), '') - 1) AS domain,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">JSON_EXTRACT(data, '$.UserData.Address') AS source_IP,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">JSON_EXTRACT(data, '$.UserData.SessionID') AS session_ID,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">CASE<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN JSON_EXTRACT(data, '$.UserData.Address') GLOB '*[a-zA-Z]*' THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Address'), '192.168.') = 1 THEN 'private_IP'\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Address'), '172.') = 1 AND CAST(SUBSTR(JSON_EXTRACT(data, '$.UserData.Address'), 5, 2) AS INTEGER) BETWEEN 16 AND 31 THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Address'), '10.') = 1 THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Address'), '127.') = 1 THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN JSON_EXTRACT(data, '$.UserData.Address') = '0.0.0.0' THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN JSON_EXTRACT(data, '$.UserData.Address') LIKE '%::%' THEN 'unknown'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN JSON_EXTRACT(data, '$.UserData.Address') = '' THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0 ELSE 'external_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">END AS status,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">'TS LocalSession EVTX' AS data_source,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">'Logins.01.4' AS query<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">FROM sophos_windows_events<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">WHERE source = 'Microsoft-Windows-TerminalServices-LocalSessionManager\/Operational'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 AND eventid IN (21,22,25)<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 AND (status = 'external_IP' OR status = 'unknown')<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">UNION ALL<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">SELECT<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">strftime('%Y-%m-%dT%H:%M:%SZ',datetime) AS date_time,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">eventid,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">CASE eventid<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0 WHEN 1149 THEN eventid || ' - User authentication succeeded'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0 ELSE NULL<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">END AS description,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">JSON_EXTRACT(data, '$.UserData.Param1') AS username,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">JSON_EXTRACT(data, '$.UserData.Param2') AS domain,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">JSON_EXTRACT(data, '$.UserData.Param3') AS source_IP,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">NULL AS Session_ID,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">CASE<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Param3'), '192.168.') = 1 THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Param3'), '172.') = 1 AND CAST(SUBSTR(JSON_EXTRACT(data, '$.UserData.Param3'), 5, 2) AS INTEGER) BETWEEN 16 AND 31 THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Param3'), '10.') = 1 THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN INSTR(JSON_EXTRACT(data, '$.UserData.Param3'), '127.') = 1 THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN JSON_EXTRACT(data, '$.UserData.Param3') = '0.0.0.0' THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN JSON_EXTRACT(data, '$.UserData.Param3') LIKE '%::%' THEN 'unknown'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 WHEN JSON_EXTRACT(data, '$.UserData.Param3') = '' THEN 'private_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 ELSE 'external_IP'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">END AS status,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">'TS RemoteConnection EVTX' AS data_source,<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">'Logins.01.4' AS query<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">FROM sophos_windows_events<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">WHERE source = 'Microsoft-Windows-TerminalServices-RemoteConnectionManager\/Operational'<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 AND eventid = 1149<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span>    <span data-contrast=\"auto\">\u00a0\u00a0\u00a0 AND (status = 'external_IP' OR status = 'unknown')<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/pre>\n<p><span data-contrast=\"auto\">Once that\u2019s pasted in, you\u2019ll select the machines against which this query should run. The query is Windows-specific; running it against macOS or Linux machines will return no results, so deselecting those (under the Filters &#8211;&gt; Operating system option) is a good first step. Beyond that, the needs of each enterprise are unique. However, there\u2019s a strong case to be made to run the query against every Windows machine on your network \u2013 even the endpoints, just in case one\u2019s incorrectly exposed to the internet. (Alas, our Incident Response investigators find this far more often than one would expect.)\u00a0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Click Update Selected Devices to confirm your selections, and select Run Query at bottom right to execute. (The system will ask you to confirm that you wish to run this untested query; you do.) The query begins to execute; the speed at which results are returned depends on how many devices are queried and on their network connections. When it\u2019s finished, the Status column will alert you to query completion (or, if something\u2019s gone wrong, to query failure). Scroll up; there\u2019s a section called Query results that shows the results. If nothing\u2019s there \u2013 congratulations! No RDP logins from external IP addresses were found. If, however, there are results shown\u2026<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Understanding the results<\/span><\/b><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">If your query returns results, the first field to take note of in those results is the endpoint name. In the example shown below (taken from the testbed we set up to make our video), two machines reported back that they have external RDP connections.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-954242\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-02.png\" alt=\"A screen capture from a Live Discover session showing the detection of two infected machines\" width=\"640\" height=\"219\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-02.png 1651w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-02.png?resize=300,103 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-02.png?resize=768,263 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-02.png?resize=1024,350 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/RDP-5-figure-02.png?resize=1536,526 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><i><span data-contrast=\"auto\">Figure 2: Our testbed had two machines, and both of those machines have been touched by an external RDP angel<\/span><\/i><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Expanding the results shows the date and time at which the connection occurred, the event ID returned by the query (with a brief description of what that event ID means), the username of the account that logged in, and the source IP address from which they connected. The non-RFC 1918 addresses prove that these connections did not come from the network\u2019s private address space.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It&#8217;s worth noting that, as with any query of this type, more investigation is necessary in order to rule out false positives. However, a \u201cfalse\u201d positive \u2013 a peculiar external connection that really was just an administrator opening RDP on a server temporarily \u2013 is still worth understanding. As we noted earlier in this series of articles, attackers are breathtakingly quick to hop onto an open RDP connection. If the administrator was able to connect, the odds are excellent that an attacker had time to find the open port as well. An abundance of caution would suggest isolating the device and examining it further for potential compromise.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:360}\">\u00a0<\/span><\/p>\n<p><strong>Remote Desktop Protocol: The Series<\/strong><\/p>\n<p>Part 1: Remote Desktop Protocol: Introduction (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-the-series\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/dmzfBSs02lA\">video<\/a>)<br \/> Part 2: Remote Desktop Protocol: Exposed RDP (is dangerous) (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-exposed-rdp-is-dangerous\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/XyWnKaLwmkQ\">video<\/a>)<br \/> Part 3: RDP: Queries for Investigation (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-queries-for-investigation\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/-Vo_Gok59WE\">video<\/a>)<br \/> Part 4: RDP Time Zone Bias (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-how-to-use-time-zone-bias\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/gaq46NUkOyA\">video<\/a>)<br \/> Part 5: Executing the External RDP Query ([you are here], <a href=\"https:\/\/youtu.be\/hGKvzkb47JA\">video<\/a>)<br \/> Part 6: Executing the 4624_4625 Login Query (<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-executing-the-4624_4625-login-query\/\">post<\/a>, <a href=\"https:\/\/youtu.be\/YpvAnSEk8HU\">video<\/a>)<br \/> GitHub query repository: <a href=\"https:\/\/github.com\/SophosRapidResponse\/OSQuery\/tree\/main\/Artefacts\/Logins\">SophosRapidResponse\/OSQuery<br \/> <\/a>Transcript repository: <a href=\"https:\/\/github.com\/sophoslabs\/video-transcripts\">sophoslabs\/video-transcripts<br \/> <\/a>YouTube playlist: <a href=\"https:\/\/www.youtube.com\/playlist?list=PLW9m2f_dtUOVVita1zUhzv4T-VSzxUAUZ\">Remote Desktop Protocol: The Series<\/a><\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/20\/remote-desktop-protocol-executing-the-external-rdp-query\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/rdp-hero-05.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Wed, 20 Mar 2024 16:09:06 +0000<\/strong><\/p>\n<p>On the hunt for successful RDP connections that have entered your network from outside? A step-by-step guide (and a query to get you started)<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[12657,27362,25038,17688,18324,24552,27030],"class_list":["post-24193","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-incident-response","tag-incident-response-tools","tag-mdr","tag-query","tag-rdp","tag-security-operations","tag-sophos-x-ops"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24193"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24193\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24193"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}