Detecting cyber threats has been an on-going research endeavor. In this era, Advanced Persistent Threats (APTs) can incur significant costs for organizations and businesses. The ultimate goal of cybersecurity is to thwart attackers from achieving their malicious intent, whether it is credential stealing, infrastructure takeover, or program sabotage. Every cyber attack goes through several stages before its termination. Lateral Movement (LM) is one of those stages that is of particular importance. Remote Desktop Protocol (RDP) is a method used in LM to successfully authenticate to an unauthorized host that leaves footprints on both host and network logs. In this paper, we propose to detect evidence of LM using Machine Learning (ML) and Windows RDP event logs. We explore different feature sets extracted from these logs and evaluate various supervised ML techniques for classifying RDP sessions with high precision and recall. We also compare the performance of our proposed approach to a state-of-the-art approach and demonstrate that our ML model outperforms in classifying RDP sessions in Windows event logs. In addition, we show that our model is robust against certain types of adversarial attacks.

检测网络威胁一直是正在进行的研究工作。在这个时代，高级持久威胁（APT）可能会给组织和企业带来巨大的成本。网络安全的最终目标是阻止攻击者实现其恶意意图，无论是凭据窃取，基础架构接管还是程序破坏。每次网络攻击在终止之前都经历了多个阶段。横向运动（LM）是这些阶段中特别重要的阶段之一。远程桌面协议（RDP）是LM中用于成功验证未经授权的主机的一种方法，该主机在主机日志和网络日志上都留下了足迹。在本文中，我们建议使用机器学习（ML）和Windows RDP事件日志来检测LM的证据。我们探索从这些日志中提取的不同功能集，并评估各种监督的ML技术，以对RDP会话进行高精度分类和调用。我们还将我们提出的方法与最新方法的性能进行了比较，并证明了我们的ML模型在Windows事件日志中对RDP会话进行分类方面表现出优异的表现。此外，我们证明了我们的模型对某些类型的对抗攻击具有鲁棒性。