Potential SharpRDP Behavior

Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/11"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution
11against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential SharpRDP Behavior"
18references = [
19    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
20    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx",
21]
22risk_score = 73
23rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967"
24severity = "high"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Lateral Movement",
30    "Data Source: Elastic Defend",
31]
32type = "eql"
33
34query = '''
35/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */
36
37sequence by host.id with maxspan=1m
38  [network where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and
39   network.direction : ("incoming", "ingress") and network.transport == "tcp" and
40   source.ip != "127.0.0.1" and source.ip != "::1"
41  ]
42
43  [registry where host.os.type == "windows" and process.name : "explorer.exe" and
44   registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
45   registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*")
46  ]
47
48  [process where host.os.type == "windows" and event.type == "start" and
49   (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and
50   not process.name : "conhost.exe"
51   ]
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1021"
59name = "Remote Services"
60reference = "https://attack.mitre.org/techniques/T1021/"
61[[rule.threat.technique.subtechnique]]
62id = "T1021.001"
63name = "Remote Desktop Protocol"
64reference = "https://attack.mitre.org/techniques/T1021/001/"
65
66
67
68[rule.threat.tactic]
69id = "TA0008"
70name = "Lateral Movement"
71reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top