Potential SharpRDP Behavior

Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/11"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution
 11against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential SharpRDP Behavior"
 18references = [
 19    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
 20    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx",
 21    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
 22]
 23risk_score = 73
 24rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Lateral Movement",
 31    "Data Source: Elastic Defend",
 32    "Resources: Investigation Guide",
 33]
 34type = "eql"
 35
 36query = '''
 37/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */
 38
 39sequence by host.id with maxspan=1m
 40  [network where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and
 41   network.direction : ("incoming", "ingress") and network.transport == "tcp" and
 42   source.ip != "127.0.0.1" and source.ip != "::1"
 43  ]
 44
 45  [registry where host.os.type == "windows" and event.type == "change" and process.name : "explorer.exe" and
 46   registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
 47   registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*")
 48  ]
 49
 50  [process where host.os.type == "windows" and event.type == "start" and
 51   (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and
 52   not process.name : "conhost.exe"
 53   ]
 54'''
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Potential SharpRDP Behavior
 61
 62Remote Desktop Protocol (RDP) enables users to connect to and control remote systems, facilitating legitimate administrative tasks. However, adversaries can exploit RDP for lateral movement within a network. SharpRDP, a tool for executing commands on remote systems via RDP, can be misused for unauthorized access. The detection rule identifies suspicious RDP activity by monitoring network connections, registry changes, and process executions, flagging potential misuse indicative of SharpRDP behavior.
 63
 64### Possible investigation steps
 65
 66- Review the network logs to confirm the presence of incoming RDP connections on port 3389, specifically looking for connections initiated by IP addresses other than localhost (127.0.0.1 or ::1).
 67- Examine the registry changes to identify any new RunMRU string values set to cmd, powershell, taskmgr, or tsclient, which could indicate command execution attempts.
 68- Investigate the process execution logs to verify if any processes were started with parent processes like cmd.exe, powershell.exe, or taskmgr.exe, and ensure these are not legitimate administrative actions.
 69- Correlate the timestamps of the RDP connection, registry change, and process execution to determine if they align within the 1-minute window specified by the detection rule.
 70- Check the source IP address of the RDP connection against known threat intelligence feeds to assess if it is associated with any malicious activity.
 71- Analyze user account activity associated with the RDP session to determine if the account was compromised or if the actions were authorized.
 72
 73### False positive analysis
 74
 75- Legitimate administrative tasks using RDP may trigger the rule if they involve command execution through cmd, powershell, or taskmgr. To manage this, create exceptions for known administrative IP addresses or user accounts frequently performing these tasks.
 76- Automated scripts or software updates that modify the RunMRU registry key with benign commands can be mistaken for SharpRDP behavior. Identify and exclude these processes or scripts from the detection rule.
 77- Remote management tools that use RDP and execute commands as part of their normal operation might be flagged. Whitelist these tools by their process names or specific command patterns to prevent false positives.
 78- Internal network scanning or monitoring tools that simulate RDP connections for security assessments could be misinterpreted. Exclude these tools by their source IP addresses or network behavior signatures.
 79
 80### Response and remediation
 81
 82- Immediately isolate the affected host from the network to prevent further lateral movement and unauthorized access.
 83- Terminate any suspicious processes identified in the alert, such as those initiated by cmd.exe, powershell.exe, or taskmgr.exe, to halt any ongoing malicious activity.
 84- Review and revert any unauthorized registry changes, particularly those related to the RunMRU registry path, to restore system integrity.
 85- Conduct a thorough examination of the affected host for additional indicators of compromise, such as unauthorized user accounts or scheduled tasks, and remove any found.
 86- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent further unauthorized access.
 87- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 88- Implement enhanced monitoring and logging for RDP connections and registry changes to detect and respond to similar threats more effectively in the future."""
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1021"
 95name = "Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1021/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1021.001"
 99name = "Remote Desktop Protocol"
100reference = "https://attack.mitre.org/techniques/T1021/001/"
101
102
103
104[rule.threat.tactic]
105id = "TA0008"
106name = "Lateral Movement"
107reference = "https://attack.mitre.org/tactics/TA0008/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Potential SharpRDP Behavior

Remote Desktop Protocol (RDP) enables users to connect to and control remote systems, facilitating legitimate administrative tasks. However, adversaries can exploit RDP for lateral movement within a network. SharpRDP, a tool for executing commands on remote systems via RDP, can be misused for unauthorized access. The detection rule identifies suspicious RDP activity by monitoring network connections, registry changes, and process executions, flagging potential misuse indicative of SharpRDP behavior.

Possible investigation steps

  • Review the network logs to confirm the presence of incoming RDP connections on port 3389, specifically looking for connections initiated by IP addresses other than localhost (127.0.0.1 or ::1).
  • Examine the registry changes to identify any new RunMRU string values set to cmd, powershell, taskmgr, or tsclient, which could indicate command execution attempts.
  • Investigate the process execution logs to verify if any processes were started with parent processes like cmd.exe, powershell.exe, or taskmgr.exe, and ensure these are not legitimate administrative actions.
  • Correlate the timestamps of the RDP connection, registry change, and process execution to determine if they align within the 1-minute window specified by the detection rule.
  • Check the source IP address of the RDP connection against known threat intelligence feeds to assess if it is associated with any malicious activity.
  • Analyze user account activity associated with the RDP session to determine if the account was compromised or if the actions were authorized.

False positive analysis

  • Legitimate administrative tasks using RDP may trigger the rule if they involve command execution through cmd, powershell, or taskmgr. To manage this, create exceptions for known administrative IP addresses or user accounts frequently performing these tasks.
  • Automated scripts or software updates that modify the RunMRU registry key with benign commands can be mistaken for SharpRDP behavior. Identify and exclude these processes or scripts from the detection rule.
  • Remote management tools that use RDP and execute commands as part of their normal operation might be flagged. Whitelist these tools by their process names or specific command patterns to prevent false positives.
  • Internal network scanning or monitoring tools that simulate RDP connections for security assessments could be misinterpreted. Exclude these tools by their source IP addresses or network behavior signatures.

Response and remediation

  • Immediately isolate the affected host from the network to prevent further lateral movement and unauthorized access.
  • Terminate any suspicious processes identified in the alert, such as those initiated by cmd.exe, powershell.exe, or taskmgr.exe, to halt any ongoing malicious activity.
  • Review and revert any unauthorized registry changes, particularly those related to the RunMRU registry path, to restore system integrity.
  • Conduct a thorough examination of the affected host for additional indicators of compromise, such as unauthorized user accounts or scheduled tasks, and remove any found.
  • Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent further unauthorized access.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Implement enhanced monitoring and logging for RDP connections and registry changes to detect and respond to similar threats more effectively in the future.

References

Related rules

to-top