Execution via TSClient Mountpoint

  1[metadata]
  2creation_date = "2020/11/11"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may
 11indicate a lateral movement attempt.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Execution via TSClient Mountpoint"
 28references = [
 29    "https://specterops.io/blog/2020/01/22/revisiting-remote-desktop-lateral-movement/",
 30    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
 31]
 32risk_score = 73
 33rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8"
 34severity = "high"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Lateral Movement",
 40    "Data Source: Elastic Endgame",
 41    "Data Source: Elastic Defend",
 42    "Data Source: Windows Security Event Logs",
 43    "Data Source: Microsoft Defender XDR",
 44    "Data Source: Sysmon",
 45    "Data Source: SentinelOne",
 46    "Data Source: Crowdstrike",
 47    "Resources: Investigation Guide",
 48]
 49timestamp_override = "event.ingested"
 50type = "eql"
 51
 52query = '''
 53process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe"
 54'''
 55
 56note = """## Triage and analysis
 57
 58### Investigating Execution via TSClient Mountpoint
 59
 60#### Possible investigation steps
 61
 62- What exact TSClient launch did the alert capture?
 63  - Focus: `process.executable`, `process.command_line`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.code_signature.trusted`.
 64  - Implication: escalate when the redirected-drive executable is unsigned, untrusted, renamed, script-capable, or launched with command intent outside a recognized RDP support or deployment workflow; lower concern only when a vendor-signed installer or utility from the RDP client drive matches that exact session purpose.
 65- What launcher and Windows session produced the TSClient process?
 66  - Focus: `process.parent.name`, `process.parent.command_line`, `process.Ext.session_info.logon_type`, `user.id`.
 67  - Implication: escalate when the parent is "cmd.exe", "powershell.exe", "taskmgr.exe", or another remote-session launcher, when the session is remote-interactive for an unusual user, or when children show another TSClient-launched payload; lower concern when parent and session match a recognized support launcher or deployment tool.
 68- Which RDP source created the session, when authentication telemetry is available?
 69  - Focus: bridge `process.Ext.authentication_id` to same-host authentication events through `winlog.event_data.TargetLogonId`; read `source.ip`, `winlog.logon.type`, `winlog.event_data.AuthenticationPackageName`. $investigate_0
 70  - Implication: escalate when the recovered source or authentication package conflicts with recognized jump hosts, support workstations, or deployment sources. Missing authentication telemetry is unresolved, not benign.
 71- Did the TSClient process spawn shells, tools, or persistence helpers on the target?
 72  - Focus: child starts from `process.entity_id` on `host.id`, especially `process.executable`, `process.command_line`, `process.parent.entity_id`. $investigate_1
 73  - Hint: if `process.entity_id` is absent, recover descendants with `host.id` + `process.pid` + a tight alert-time window and confirm the parent command line before interpreting results.
 74  - Implication: escalate when descendants include shells, script hosts, remote-access tools, credential utilities, or persistence helpers; an isolated installer-like launch lowers urgency only if session and identity evidence also align.
 75- If local evidence remains suspicious or incomplete, do related alerts show the same user or host attempting RDP or remote execution elsewhere?
 76  - Focus: same-user `user.id` and same-host `host.id` alerts sharing RDP, credential, remote-service, or execution patterns.
 77  - Hint: user alert pivot. $investigate_2
 78  - Hint: host alert pivot. $investigate_3
 79  - Implication: expand scope only when related alerts reuse the same user, host, session pattern, or command family; unrelated alert noise does not change disposition.
 80- Escalate when suspicious identity, lineage, source, descendants, or related alerts support unauthorized redirected-drive execution; close only when process identity, parent/session, source when available, and descendants all match one recognized RDP support or deployment activity; preserve artifacts and escalate when authentication visibility is missing or evidence remains mixed.
 81
 82### False positive analysis
 83
 84- RDP helpdesk, break-fix, or software deployment workflows can legitimately run installers or utilities from a client drive redirected into the target session. Confirm all evidence converges on one exact activity: identity and intent (`process.executable`, `process.command_line`, signature), launch/session (`process.parent.name`, `user.id`, `host.id`, recovered `source.ip` when available), and outcome (no suspicious descendants or related alerts). Contradictory evidence keeps the case open.
 85- Use recurrence only to support a narrow exception candidate, not to close the current case by itself. Require the same stable executable path or signer, parent/session pattern, `user.id`, `host.id`, recovered source when available, and descendant-clean outcome across prior alerts from this rule; keep the case open when current telemetry is incomplete or contradictory.
 86- Before creating an exception, anchor it on the minimum confirmed pattern: specific `process.executable`, stable `process.command_line` or signer, `process.parent.name`, `user.id`, `host.id`, and recovered `source.ip` only when it was part of the confirmation. Avoid exceptions on the TSClient path wildcard or `process.name` alone.
 87
 88### Response and remediation
 89
 90- Preserve evidence before changing state: case export of the alert, process tree, command line, binary hash or sample when available, child-process events, and authentication-bridge records.
 91- If confirmed benign after preservation, reverse temporary containment and document the exact process identity, parent/session context, `user.id`, `host.id`, and recovered `source.ip` that established the redirected-drive workflow. Create an exception only after the same narrowly scoped pattern is stable across prior alerts.
 92- If suspicious but unconfirmed after preservation, use reversible containment only: terminate the active RDP session, restrict new RDP connections from the recovered source when available, disable drive redirection for the affected access path, or heighten monitoring on the affected `host.id`. Do not isolate the host, terminate processes, or suspend accounts unless follow-on execution or related alerts confirm broader abuse.
 93- If confirmed malicious, isolate the target host when feasible, terminate the TSClient-launched process and malicious descendants after evidence capture, and disable or suspend the account or RDP access path used for the session.
 94- Scope before cleanup by reviewing other hosts and users tied to the same recovered source, `user.id`, distinctive `process.command_line`, signer, or hash.
 95- Eradicate only the staged payloads, persistence artifacts, or tooling identified during the investigation, then review whether credentials exposed in the RDP session need reset or reissue.
 96- Post-incident hardening: limit RDP drive redirection, restrict RDP access to managed jump hosts, retain endpoint process and Windows Security telemetry for session bridging, and document any TSClient execution patterns that should become narrow exceptions."""
 97
 98setup = """## Setup
 99
100This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
101
102Setup instructions: https://ela.st/install-elastic-defend
103
104### Additional data sources
105
106This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
107
108- [CrowdStrike](https://ela.st/crowdstrike-integration)
109- [Microsoft Defender XDR](https://ela.st/m365-defender)
110- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
111- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
112- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
113"""
114
115[rule.investigation_fields]
116field_names = [
117    "@timestamp",
118    "host.name",
119    "host.id",
120    "user.id",
121    "process.entity_id",
122    "process.executable",
123    "process.command_line",
124    "process.parent.name",
125    "process.parent.command_line",
126    "process.Ext.session_info.logon_type",
127    "process.Ext.authentication_id",
128    "process.hash.sha256",
129    "process.code_signature.subject_name",
130    "process.code_signature.trusted",
131]
132
133[transform]
134
135[[transform.investigate]]
136label = "Authentication events for the linked session"
137description = ""
138providers = [
139  [
140    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" },
141    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
142    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{process.Ext.authentication_id}}", valueType = "string" }
143  ]
144]
145relativeFrom = "now-48h/h"
146relativeTo = "now"
147
148[[transform.investigate]]
149label = "Child processes spawned by the TSClient launch"
150description = ""
151providers = [
152  [
153    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
154    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
155    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
156    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
157  ]
158]
159relativeFrom = "now-1h"
160relativeTo = "now"
161
162[[transform.investigate]]
163label = "Alerts associated with the user"
164description = ""
165providers = [
166  [
167    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
168    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
169  ]
170]
171relativeFrom = "now-48h/h"
172relativeTo = "now"
173
174[[transform.investigate]]
175label = "Alerts associated with the host"
176description = ""
177providers = [
178  [
179    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
180    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
181  ]
182]
183relativeFrom = "now-48h/h"
184relativeTo = "now"
185
186[[rule.threat]]
187framework = "MITRE ATT&CK"
188
189[[rule.threat.technique]]
190id = "T1021"
191name = "Remote Services"
192reference = "https://attack.mitre.org/techniques/T1021/"
193
194[[rule.threat.technique.subtechnique]]
195id = "T1021.001"
196name = "Remote Desktop Protocol"
197reference = "https://attack.mitre.org/techniques/T1021/001/"
198
199[[rule.threat.technique]]
200id = "T1570"
201name = "Lateral Tool Transfer"
202reference = "https://attack.mitre.org/techniques/T1570/"
203
204[rule.threat.tactic]
205id = "TA0008"
206name = "Lateral Movement"
207reference = "https://attack.mitre.org/tactics/TA0008/"