Suspicious RDP ActiveX Client Loaded

  1[metadata]
  2creation_date = "2020/11/19"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the
 13presence of RDP lateral movement capability.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious RDP ActiveX Client Loaded"
 20references = [
 21    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
 22    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
 23]
 24risk_score = 47
 25rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270"
 26setup = """## Setup
 27
 28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 31`event.ingested` to @timestamp.
 32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 33"""
 34severity = "medium"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Lateral Movement",
 40    "Data Source: Elastic Endgame",
 41    "Data Source: Elastic Defend",
 42    "Data Source: Sysmon",
 43    "Resources: Investigation Guide",
 44]
 45timestamp_override = "event.ingested"
 46type = "eql"
 47
 48query = '''
 49any where host.os.type == "windows" and
 50 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 51 (?dll.name : "mstscax.dll" or file.name : "mstscax.dll") and
 52   /* depending on noise in your env add here extra paths  */
 53  process.executable : (
 54    "C:\\Windows\\*",
 55    "C:\\Users\\Public\\*",
 56    "C:\\Users\\Default\\*",
 57    "C:\\Intel\\*",
 58    "C:\\PerfLogs\\*",
 59    "C:\\ProgramData\\*",
 60    "\\Device\\Mup\\*",
 61    "\\\\*"
 62  ) and
 63  /* add here FPs */
 64  not process.executable : (
 65    "?:\\Windows\\System32\\mstsc.exe",
 66    "?:\\Windows\\SysWOW64\\mstsc.exe",
 67    "?:\\Windows\\System32\\vmconnect.exe",
 68    "?:\\Windows\\System32\\WindowsSandboxClient.exe",
 69    "?:\\Windows\\System32\\hvsirdpclient.exe"
 70  )
 71'''
 72note = """## Triage and analysis
 73
 74> **Disclaimer**:
 75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 76
 77### Investigating Suspicious RDP ActiveX Client Loaded
 78
 79The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desktop connections, enabling users to access and control other systems. Adversaries may exploit this by loading the DLL in unauthorized contexts to move laterally within a network. The detection rule identifies unusual loading of mstscax.dll outside typical system paths, flagging potential misuse indicative of lateral movement attempts.
 80
 81### Possible investigation steps
 82
 83- Review the process executable path to determine if mstscax.dll was loaded from an unusual or unauthorized location, as specified in the query.
 84- Check the associated process and user context to identify who initiated the process and whether it aligns with expected behavior or known user activity.
 85- Investigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts.
 86- Examine recent login events and RDP session logs for the involved user account to detect any unauthorized access or anomalies.
 87- Correlate the alert with other security events or logs to identify potential patterns or related suspicious activities within the network.
 88
 89### False positive analysis
 90
 91- Legitimate administrative tools or scripts that load mstscax.dll from non-standard paths may trigger false positives. To mitigate this, identify and document these tools, then add their paths to the exclusion list in the detection rule.
 92- Software updates or installations that temporarily load mstscax.dll from unusual locations can cause false alerts. Monitor and log these activities, and consider excluding these paths if they are consistently flagged during known update periods.
 93- Virtualization software or sandbox environments that use mstscax.dll for legitimate purposes might be flagged. Verify the use of such software and exclude their executable paths from the rule to prevent unnecessary alerts.
 94- Custom user scripts or automation tasks that involve remote desktop functionalities may load mstscax.dll in unexpected ways. Review these scripts and, if deemed safe, add their execution paths to the exclusion list to reduce noise.
 95- Network drive mappings or shared folders that involve remote desktop components could lead to false positives. Ensure these are part of regular operations and exclude their paths if they are frequently flagged without malicious intent.
 96
 97### Response and remediation
 98
 99- Isolate the affected system from the network immediately to prevent further lateral movement by the adversary.
100- Terminate any suspicious processes associated with the unauthorized loading of mstscax.dll to halt potential malicious activities.
101- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software.
102- Review and analyze the system and network logs to identify any other systems that may have been accessed or compromised by the adversary.
103- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
104- Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future.
105- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected."""
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1021"
112name = "Remote Services"
113reference = "https://attack.mitre.org/techniques/T1021/"
114[[rule.threat.technique.subtechnique]]
115id = "T1021.001"
116name = "Remote Desktop Protocol"
117reference = "https://attack.mitre.org/techniques/T1021/001/"
118
119
120
121[rule.threat.tactic]
122id = "TA0008"
123name = "Lateral Movement"
124reference = "https://attack.mitre.org/tactics/TA0008/"