Suspicious RDP ActiveX Client Loaded

  1[metadata]
  2creation_date = "2020/11/19"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the
 11presence of RDP lateral movement capability.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious RDP ActiveX Client Loaded"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Suspicious RDP ActiveX Client Loaded
 24
 25The Remote Desktop Services ActiveX Client, mstscax.dll, facilitates remote desktop connections, enabling users to access and control other systems. Adversaries may exploit this by loading the DLL in unauthorized contexts to move laterally within a network. The detection rule identifies unusual loading of mstscax.dll outside typical system paths, flagging potential misuse indicative of lateral movement attempts.
 26
 27### Possible investigation steps
 28
 29- Review the process executable path to determine if mstscax.dll was loaded from an unusual or unauthorized location, as specified in the query.
 30- Check the associated process and user context to identify who initiated the process and whether it aligns with expected behavior or known user activity.
 31- Investigate the network connections associated with the process to identify any suspicious remote connections or lateral movement attempts.
 32- Examine recent login events and RDP session logs for the involved user account to detect any unauthorized access or anomalies.
 33- Correlate the alert with other security events or logs to identify potential patterns or related suspicious activities within the network.
 34
 35### False positive analysis
 36
 37- Legitimate administrative tools or scripts that load mstscax.dll from non-standard paths may trigger false positives. To mitigate this, identify and document these tools, then add their paths to the exclusion list in the detection rule.
 38- Software updates or installations that temporarily load mstscax.dll from unusual locations can cause false alerts. Monitor and log these activities, and consider excluding these paths if they are consistently flagged during known update periods.
 39- Virtualization software or sandbox environments that use mstscax.dll for legitimate purposes might be flagged. Verify the use of such software and exclude their executable paths from the rule to prevent unnecessary alerts.
 40- Custom user scripts or automation tasks that involve remote desktop functionalities may load mstscax.dll in unexpected ways. Review these scripts and, if deemed safe, add their execution paths to the exclusion list to reduce noise.
 41- Network drive mappings or shared folders that involve remote desktop components could lead to false positives. Ensure these are part of regular operations and exclude their paths if they are frequently flagged without malicious intent.
 42
 43### Response and remediation
 44
 45- Isolate the affected system from the network immediately to prevent further lateral movement by the adversary.
 46- Terminate any suspicious processes associated with the unauthorized loading of mstscax.dll to halt potential malicious activities.
 47- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software.
 48- Review and analyze the system and network logs to identify any other systems that may have been accessed or compromised by the adversary.
 49- Reset credentials for any accounts that were accessed or potentially compromised during the incident to prevent unauthorized access.
 50- Implement network segmentation to limit the ability of adversaries to move laterally within the network in the future.
 51- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been affected."""
 52references = [
 53    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
 54    "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language",
 55]
 56risk_score = 47
 57rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270"
 58setup = """## Setup
 59
 60If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 61events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 62Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 63`event.ingested` to @timestamp.
 64For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 65"""
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Lateral Movement",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Sysmon",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81any where host.os.type == "windows" and
 82 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 83 (?dll.name : "mstscax.dll" or file.name : "mstscax.dll") and
 84   /* depending on noise in your env add here extra paths  */
 85  process.executable : (
 86    "C:\\Windows\\*",
 87    "C:\\Users\\Public\\*",
 88    "C:\\Users\\Default\\*",
 89    "C:\\Intel\\*",
 90    "C:\\PerfLogs\\*",
 91    "C:\\ProgramData\\*",
 92    "\\Device\\Mup\\*",
 93    "\\\\*"
 94  ) and
 95  /* add here FPs */
 96  not process.executable : (
 97    "?:\\Windows\\System32\\mstsc.exe",
 98    "?:\\Windows\\SysWOW64\\mstsc.exe",
 99    "?:\\Windows\\System32\\vmconnect.exe",
100    "?:\\Windows\\System32\\WindowsSandboxClient.exe",
101    "?:\\Windows\\System32\\hvsirdpclient.exe"
102  )
103'''
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1021"
110name = "Remote Services"
111reference = "https://attack.mitre.org/techniques/T1021/"
112[[rule.threat.technique.subtechnique]]
113id = "T1021.001"
114name = "Remote Desktop Protocol"
115reference = "https://attack.mitre.org/techniques/T1021/001/"
116
117
118
119[rule.threat.tactic]
120id = "TA0008"
121name = "Lateral Movement"
122reference = "https://attack.mitre.org/tactics/TA0008/"