Remote Desktop File Opened from Suspicious Path
Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/11/05"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/11/05"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access.
13"""
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.process-*",
18 "logs-windows.forwarded*",
19 "logs-windows.sysmon_operational-*",
20 "endgame-*",
21 "logs-system.security*",
22 "logs-m365_defender.event-*",
23 "logs-sentinel_one_cloud_funnel.*",
24]
25language = "eql"
26license = "Elastic License v2"
27name = "Remote Desktop File Opened from Suspicious Path"
28references = [
29 "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/",
30 "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/",
31 "https://shorsec.io/blog/malrdp-implementing-rouge-rdp-manually/",
32]
33risk_score = 47
34rule_id = "f401a0e3-5eeb-4591-969a-f435488e7d12"
35severity = "medium"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Initial Access",
41 "Tactic: Command and Control",
42 "Data Source: Elastic Endgame",
43 "Data Source: Elastic Defend",
44 "Data Source: System",
45 "Data Source: Microsoft Defender for Endpoint",
46 "Data Source: Sysmon",
47 "Data Source: SentinelOne",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and
54 process.name : "mstsc.exe" and
55 process.args : ("?:\\Users\\*\\Downloads\\*.rdp",
56 "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.rdp",
57 "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.rdp",
58 "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*\\*.rdp",
59 "?:\\Users\\*\\AppData\\Local\\Temp\\BNZ.*.rdp",
60 "C:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\*.rdp")
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1566"
68name = "Phishing"
69reference = "https://attack.mitre.org/techniques/T1566/"
70[[rule.threat.technique.subtechnique]]
71id = "T1566.001"
72name = "Spearphishing Attachment"
73reference = "https://attack.mitre.org/techniques/T1566/001/"
74
75
76
77[rule.threat.tactic]
78id = "TA0001"
79name = "Initial Access"
80reference = "https://attack.mitre.org/tactics/TA0001/"
References
-
Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight […]
Read More -
Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]
Read More -
Preface Let me start by saying that all credits for this idea and technique goes to Mike Felch @ustayready of Dark Optics. I came across his article back in March 22 and immediately was blown away ...
Read More
Related rules
- Suspicious Execution from INET Cache
- Mounting Hidden or WebDav Remote Shares
- ScreenConnect Server Spawning Suspicious Processes
- Potential File Transfer via Certreq
- Remote File Download via Desktopimgdownldr Utility