Remote Desktop File Opened from Suspicious Path

  1[metadata]
  2creation_date = "2024/11/05"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial
 11access.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-m365_defender.event-*",
 18    "logs-sentinel_one_cloud_funnel.*",
 19    "logs-system.security*",
 20    "logs-windows.forwarded*",
 21    "logs-windows.sysmon_operational-*",
 22    "winlogbeat-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Remote Desktop File Opened from Suspicious Path"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Remote Desktop File Opened from Suspicious Path
 33
 34Remote Desktop Protocol (RDP) allows users to connect to and control a computer remotely, facilitating remote work and administration. However, adversaries can exploit RDP files, which store connection settings, to gain unauthorized access. They may distribute malicious RDP files via phishing, placing them in suspicious directories. The detection rule identifies when RDP files are opened from unusual paths, signaling potential misuse and enabling analysts to investigate further.
 35
 36### Possible investigation steps
 37
 38- Review the process execution details to confirm the presence of "mstsc.exe" and verify the suspicious path from which the RDP file was opened, as specified in the query.
 39- Check the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears anomalous.
 40- Investigate the source of the RDP file by examining recent email activity or downloads to identify potential phishing attempts or unauthorized file transfers.
 41- Analyze the system's event logs for any other unusual activities or processes that occurred around the same time as the RDP file execution.
 42- Assess the network connections established by the system during the time of the alert to identify any suspicious or unauthorized remote connections.
 43- Consult threat intelligence sources to determine if the identified path or file name pattern is associated with known malicious campaigns or threat actors.
 44
 45### False positive analysis
 46
 47- Users frequently download legitimate RDP files from trusted sources like corporate emails or internal portals. To manage this, create exceptions for known safe domains or email addresses in your security tools.
 48- Temporary directories often store RDP files during legitimate software installations or updates. Monitor these activities and whitelist specific processes or software that are known to use RDP files during their operations.
 49- Employees working remotely may use RDP files stored in their Downloads folder for legitimate access to company resources. Implement a policy to educate users on safe RDP file handling and consider excluding the Downloads folder from alerts if it is a common practice.
 50- Some business applications may generate RDP files in temporary directories as part of their normal operation. Identify these applications and configure your detection systems to exclude their specific file paths or process names.
 51- Automated scripts or IT management tools might use RDP files for routine administrative tasks. Document these scripts and tools, and adjust your detection rules to ignore their specific activities.
 52
 53### Response and remediation
 54
 55- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 56- Terminate any active RDP sessions initiated from the suspicious paths identified in the alert to cut off potential attacker access.
 57- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious files or software.
 58- Review and remove any unauthorized RDP files from the suspicious directories listed in the detection query to prevent future misuse.
 59- Reset credentials for any accounts that were used to open the suspicious RDP files, ensuring that new passwords are strong and unique.
 60- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
 61- Implement enhanced monitoring and logging for RDP activities across the network to detect and respond to similar threats more effectively in the future."""
 62references = [
 63    "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/",
 64    "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
 65    "https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/",
 66]
 67risk_score = 47
 68rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12"
 69severity = "medium"
 70tags = [
 71    "Domain: Endpoint",
 72    "OS: Windows",
 73    "Use Case: Threat Detection",
 74    "Tactic: Initial Access",
 75    "Tactic: Command and Control",
 76    "Data Source: Elastic Endgame",
 77    "Data Source: Elastic Defend",
 78    "Data Source: Windows Security Event Logs",
 79    "Data Source: Microsoft Defender for Endpoint",
 80    "Data Source: Sysmon",
 81    "Data Source: SentinelOne",
 82    "Resources: Investigation Guide",
 83]
 84timestamp_override = "event.ingested"
 85type = "eql"
 86
 87query = '''
 88process where host.os.type == "windows" and event.type == "start" and
 89 process.name : "mstsc.exe" and
 90 process.args : ("?:\\Users\\*\\Downloads\\*.rdp",
 91                 "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp",
 92                 "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp",
 93                 "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp",
 94                 "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp",
 95                 "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp")
 96'''
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1566"
103name = "Phishing"
104reference = "https://attack.mitre.org/techniques/T1566/"
105[[rule.threat.technique.subtechnique]]
106id = "T1566.001"
107name = "Spearphishing Attachment"
108reference = "https://attack.mitre.org/techniques/T1566/001/"
109
110
111
112[rule.threat.tactic]
113id = "TA0001"
114name = "Initial Access"
115reference = "https://attack.mitre.org/tactics/TA0001/"