Added new events and observations to remote_desktop_logon

[Cyb3rSn0rlax]

Added some new events and observations to remote_desktop_logon :

• Logon type 12 (RemoteInteractive Logon Using Cached Credentials): If a domain controller is unavailable and the domain user account’s credentials cannot be validated, RemoteInteractive logon will attempt to authenticate the user using cached credentials on the destination host.
• Logon type 7 (RemoteInteractive Logon : Workstation was Unlocked): To delineate this from non-RDP Type 7 logons in which a person was sitting at the machine and just unlocked the machine, you can look for remote non-local IP’s in the IpAddress field.
• EID 21 and 22 provided by Microsoft-Windows-TerminalServices-LocalSessionManager/Operational give more information about the User, the Session ID and the Source Network Address.

And some observation : | WinEvent | 4624 | LogonType | 12 | hilo21 | | WinEvent | 4624 | LogonType | 7 | hilo21 | | WinEvent | 21, 22 | Source Network Address | is NOT 'LOCAL' | hilo21 | | WinEvent | 4656 | Object Name | C:\Windows\Prefetch\RDPCLIP.EXE-[RANDOM].pf | hilo21 |

[Cyb3rWard0g]

Hello @H1L021 ! It has been a while, but better late than never ;) . I will create an issue to create a similar analytic but in the current format of the project. I appreciate your hard work and contribution 🙏🏾