Suspicious RDP ActiveX Client Loaded

Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/19"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the
13presence of RDP lateral movement capability.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious RDP ActiveX Client Loaded"
20references = [
21    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
22    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
23]
24risk_score = 47
25rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "medium"
35tags = [
36    "Domain: Endpoint",
37    "OS: Windows",
38    "Use Case: Threat Detection",
39    "Tactic: Lateral Movement",
40    "Data Source: Elastic Endgame",
41    "Data Source: Elastic Defend",
42    "Data Source: Sysmon",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48any where host.os.type == "windows" and
49 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
50 (?dll.name : "mstscax.dll" or file.name : "mstscax.dll") and
51   /* depending on noise in your env add here extra paths  */
52  process.executable : (
53    "C:\\Windows\\*",
54    "C:\\Users\\Public\\*",
55    "C:\\Users\\Default\\*",
56    "C:\\Intel\\*",
57    "C:\\PerfLogs\\*",
58    "C:\\ProgramData\\*",
59    "\\Device\\Mup\\*",
60    "\\\\*"
61  ) and
62  /* add here FPs */
63  not process.executable : (
64    "?:\\Windows\\System32\\mstsc.exe",
65    "?:\\Windows\\SysWOW64\\mstsc.exe",
66    "?:\\Windows\\System32\\vmconnect.exe",
67    "?:\\Windows\\System32\\WindowsSandboxClient.exe",
68    "?:\\Windows\\System32\\hvsirdpclient.exe"
69  )
70'''
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1021"
77name = "Remote Services"
78reference = "https://attack.mitre.org/techniques/T1021/"
79[[rule.threat.technique.subtechnique]]
80id = "T1021.001"
81name = "Remote Desktop Protocol"
82reference = "https://attack.mitre.org/techniques/T1021/001/"
83
84
85
86[rule.threat.tactic]
87id = "TA0008"
88name = "Lateral Movement"
89reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top