I have been tasked to try and modify an existing analysis I pieced togetther to show the remote access of an active RDP session on the port thats specified in registry but to only show addresses that are outside of our IP address subnets… This is what I have so far but its not showing anything … … I could use our subnets rather than specifying the two staring octets… So… thus far I have…
unique values of (remote addresses of (sockets of network) whose ((local port of it = Value “PortNumber” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” of registry) and(tcp state of it as string = “ESTABLISHED” and (remote address of sockets of network as string does not contain “128.173” or (remote address of sockets of network as string does not contain “198.82” )))) )
Any thoughts would be much appreciated.