Potential SharpRDP Behavior

calendar Apr 16, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/11"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution
13against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential SharpRDP Behavior"
20references = [
21    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
22    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx",
23]
24risk_score = 73
25rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967"
26severity = "high"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
28type = "eql"
29
30query = '''
31/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */
32
33sequence by host.id with maxspan=1m
34  [network where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and
35   network.direction : ("incoming", "ingress") and network.transport == "tcp" and
36   source.ip != "127.0.0.1" and source.ip != "::1"
37  ]
38
39  [registry where host.os.type == "windows" and process.name : "explorer.exe" and
40   registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
41   registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*")
42  ]
43
44  [process where host.os.type == "windows" and event.type == "start" and
45   (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and
46   not process.name : "conhost.exe"
47   ]
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1021"
55name = "Remote Services"
56reference = "https://attack.mitre.org/techniques/T1021/"
57[[rule.threat.technique.subtechnique]]
58id = "T1021.001"
59name = "Remote Desktop Protocol"
60reference = "https://attack.mitre.org/techniques/T1021/001/"
61
62
63
64[rule.threat.tactic]
65id = "TA0008"
66name = "Lateral Movement"
67reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top