1.The purpose of the article
Techbast will guide you to use the Live Discover feature of Sophos Central to create a query to check the number of Remote Desktop sessions that have been accessed in the last N days.
Chi tiết sơ đồ mạng:
- The internet connection is connected at port 2 of the Sophos Firewall device with IP 10,150.30.106.
- The LAN layer is configured at port 1 of the Sophos XG Firewall device with IP 172.16.16.16/24 and configured with a DHCP Server to allocate IPs to connected devices.
- In the LAN we will have the WIN-V3N9Q4OC2GG server with IP 172.16.16.19/24 and installed Sophos Endpoint.
We will create a query and run this query on the WIN-V3N9Q4OC2GG server to check the number of Remote Desktop sessions in the last N days.
4.What to do
- Create query.
5.Hướng dẫn cấu hình
To create a query, go to Threat Analysis Center > Live Discover.
First we will turn on Designer Mode.
Then we click Create new query to create a new query.
The query creation table appears, we will enter the following information:
- Query Name: Name this query List of RDP Sessions in last N Days.
- Category: select Device.
- Source: select Live Endpoint and select Windows (Note with this option, the computer or server must have an internet connection to be able to query).
- In the SQL box we enter the code below.
(strftime('%s','now')-time)/(3600*24) 'Days ago' ,eventid, 'TS Remote' AS Source,
JSON_EXTRACT(data, '$.UserData.Param1') AS Name,
JSON_EXTRACT(data, '$.UserData.Param2') AS Source_Machine_Network,
JSON_EXTRACT(data, '$.UserData.Param3') AS Source_IP
WHERE source = 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' AND
eventid = 1149 AND
time > strftime('%s', 'now', '-$$Days to look back from now$$ days');
- Variable editor we click Add variable to add date parameters as shown below.
- At Enter value to use when query run, enter the number of days in this box, for example, check to see how many Remote Desktop sessions have accessed this server in the last 10 days from the time you run the query.
- At the Device selector we select the WIN-V3N9Q4OC2GG server with Sophos Endpoint installed and click Query.
Wait a few seconds, the query results will display a list of RDP sessions.
With the Live Discover feature and this query, it makes it possible to check how many Remote Desktop sessions there are in a specified period of time.
From there, it helps us to identify the risk of hackers silently taking over the server.