Potential SharpRDP Behavior
Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/11"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution
11against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential SharpRDP Behavior"
18references = [
19 "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
20 "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx",
21 "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
22]
23risk_score = 73
24rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967"
25severity = "high"
26tags = [
27 "Domain: Endpoint",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Lateral Movement",
31 "Data Source: Elastic Defend",
32]
33type = "eql"
34
35query = '''
36/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */
37
38sequence by host.id with maxspan=1m
39 [network where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and
40 network.direction : ("incoming", "ingress") and network.transport == "tcp" and
41 source.ip != "127.0.0.1" and source.ip != "::1"
42 ]
43
44 [registry where host.os.type == "windows" and event.type == "change" and process.name : "explorer.exe" and
45 registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
46 registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*")
47 ]
48
49 [process where host.os.type == "windows" and event.type == "start" and
50 (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and
51 not process.name : "conhost.exe"
52 ]
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1021"
60name = "Remote Services"
61reference = "https://attack.mitre.org/techniques/T1021/"
62[[rule.threat.technique.subtechnique]]
63id = "T1021.001"
64name = "Remote Desktop Protocol"
65reference = "https://attack.mitre.org/techniques/T1021/001/"
66
67
68
69[rule.threat.tactic]
70id = "TA0008"
71name = "Lateral Movement"
72reference = "https://attack.mitre.org/tactics/TA0008/"
References
-
It’s no secret that attackers are looking for new techniques to execute lateral movement. However, there are only a handful of publicly…
Read More -
Windows Events Attack Samples. Contribute to sbousseaden/EVTX-ATTACK-SAMPLES development by creating an account on GitHub.
Read More -
Elastic Event Query Language (EQL) correlation capabilities enable practitioners to capture complex behavior for adversary Lateral Movement techniques. Learn how to detect a variety of such techniques in this blog post.
Read More
Related rules
- Potential Lateral Tool Transfer via SMB Share
- Remote Execution via File Shares
- SMB Connections via LOLBin or Untrusted Process
- Windows Registry File Creation in SMB Share
- Potential Remote Credential Access via Registry