Execution via TSClient Mountpoint

Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/11"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may
 13indicate a lateral movement attempt.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.process-*",
 18    "winlogbeat-*",
 19    "logs-windows.forwarded*",
 20    "logs-windows.sysmon_operational-*",
 21    "endgame-*",
 22    "logs-system.security*",
 23    "logs-m365_defender.event-*",
 24    "logs-sentinel_one_cloud_funnel.*",
 25    "logs-crowdstrike.fdr*",
 26]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "Execution via TSClient Mountpoint"
 30references = [
 31    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
 32    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
 33]
 34risk_score = 73
 35rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8"
 36severity = "high"
 37tags = [
 38    "Domain: Endpoint",
 39    "OS: Windows",
 40    "Use Case: Threat Detection",
 41    "Tactic: Lateral Movement",
 42    "Data Source: Elastic Endgame",
 43    "Data Source: Elastic Defend",
 44    "Data Source: System",
 45    "Data Source: Microsoft Defender for Endpoint",
 46    "Data Source: Sysmon",
 47    "Data Source: SentinelOne",
 48    "Data Source: Crowdstrike",
 49    "Resources: Investigation Guide",
 50]
 51timestamp_override = "event.ingested"
 52type = "eql"
 53
 54query = '''
 55process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe"
 56'''
 57note = """## Triage and analysis
 58
 59> **Disclaimer**:
 60> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 61
 62### Investigating Execution via TSClient Mountpoint
 63
 64The TSClient mountpoint is a feature of the Remote Desktop Protocol (RDP) that allows users to access local drives from a remote session. Adversaries can exploit this by executing malicious files from the shared mountpoint, facilitating lateral movement within a network. The detection rule identifies such activities by monitoring for process executions originating from the TSClient path, signaling potential unauthorized access attempts.
 65
 66### Possible investigation steps
 67
 68- Review the alert details to confirm the process execution path matches the pattern "\\\\Device\\\\Mup\\\\tsclient\\\\*.exe" and verify the host operating system is Windows.
 69- Identify the user account associated with the RDP session and check for any unusual or unauthorized access patterns, such as logins from unexpected locations or at odd times.
 70- Examine the executed process's hash and compare it against known malicious hashes in threat intelligence databases to determine if the file is potentially harmful.
 71- Investigate the source system from which the RDP session originated to identify any signs of compromise or unauthorized access that could indicate lateral movement.
 72- Check for any additional suspicious activities on the target host, such as unexpected network connections or file modifications, that may correlate with the execution event.
 73- Review the security logs from data sources like Microsoft Defender for Endpoint or Sysmon for any related alerts or anomalies that could provide further context on the incident.
 74
 75### False positive analysis
 76
 77- Legitimate software updates or installations may trigger the rule if they are executed from a local drive mapped through TSClient. To manage this, create exceptions for known update processes or installation paths that are frequently used in your environment.
 78- IT administrative tasks performed via RDP sessions can also cause false positives. Identify and exclude specific administrative tools or scripts that are regularly executed from TSClient paths by trusted personnel.
 79- Automated backup or synchronization software that accesses local drives through RDP might be flagged. Review and whitelist these processes if they are part of routine operations.
 80- Development or testing activities involving remote execution of scripts or applications from TSClient can be mistaken for threats. Establish a list of approved development tools and paths to exclude from monitoring.
 81- Regularly review and update the list of exceptions to ensure that only verified and necessary exclusions are maintained, minimizing the risk of overlooking genuine threats.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected host from the network to prevent further lateral movement and potential data exfiltration.
 86- Terminate any suspicious processes running from the TSClient path to halt any ongoing malicious activity.
 87- Conduct a thorough scan of the affected host using endpoint detection and response (EDR) tools to identify and remove any malicious files or artifacts.
 88- Review and analyze RDP logs and session details to identify unauthorized access attempts and determine the source of the intrusion.
 89- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
 90- Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for similar threats.
 91- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts."""
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1021"
 98name = "Remote Services"
 99reference = "https://attack.mitre.org/techniques/T1021/"
100[[rule.threat.technique.subtechnique]]
101id = "T1021.001"
102name = "Remote Desktop Protocol"
103reference = "https://attack.mitre.org/techniques/T1021/001/"
104
105
106
107[rule.threat.tactic]
108id = "TA0008"
109name = "Lateral Movement"
110reference = "https://attack.mitre.org/tactics/TA0008/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

The TSClient mountpoint is a feature of the Remote Desktop Protocol (RDP) that allows users to access local drives from a remote session. Adversaries can exploit this by executing malicious files from the shared mountpoint, facilitating lateral movement within a network. The detection rule identifies such activities by monitoring for process executions originating from the TSClient path, signaling potential unauthorized access attempts.

  • Review the alert details to confirm the process execution path matches the pattern "\Device\Mup\tsclient\*.exe" and verify the host operating system is Windows.
  • Identify the user account associated with the RDP session and check for any unusual or unauthorized access patterns, such as logins from unexpected locations or at odd times.
  • Examine the executed process's hash and compare it against known malicious hashes in threat intelligence databases to determine if the file is potentially harmful.
  • Investigate the source system from which the RDP session originated to identify any signs of compromise or unauthorized access that could indicate lateral movement.
  • Check for any additional suspicious activities on the target host, such as unexpected network connections or file modifications, that may correlate with the execution event.
  • Review the security logs from data sources like Microsoft Defender for Endpoint or Sysmon for any related alerts or anomalies that could provide further context on the incident.
  • Legitimate software updates or installations may trigger the rule if they are executed from a local drive mapped through TSClient. To manage this, create exceptions for known update processes or installation paths that are frequently used in your environment.
  • IT administrative tasks performed via RDP sessions can also cause false positives. Identify and exclude specific administrative tools or scripts that are regularly executed from TSClient paths by trusted personnel.
  • Automated backup or synchronization software that accesses local drives through RDP might be flagged. Review and whitelist these processes if they are part of routine operations.
  • Development or testing activities involving remote execution of scripts or applications from TSClient can be mistaken for threats. Establish a list of approved development tools and paths to exclude from monitoring.
  • Regularly review and update the list of exceptions to ensure that only verified and necessary exclusions are maintained, minimizing the risk of overlooking genuine threats.
  • Immediately isolate the affected host from the network to prevent further lateral movement and potential data exfiltration.
  • Terminate any suspicious processes running from the TSClient path to halt any ongoing malicious activity.
  • Conduct a thorough scan of the affected host using endpoint detection and response (EDR) tools to identify and remove any malicious files or artifacts.
  • Review and analyze RDP logs and session details to identify unauthorized access attempts and determine the source of the intrusion.
  • Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
  • Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for similar threats.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts.

References

Related rules

to-top