Suspicious RDP ActiveX Client Loaded
Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/19"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the
11presence of RDP lateral movement capability.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious RDP ActiveX Client Loaded"
18references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"]
19risk_score = 47
20rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Lateral Movement",
35 "Data Source: Elastic Endgame",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43any where host.os.type == "windows" and
44 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
45 (?dll.name : "mstscax.dll" or file.name : "mstscax.dll") and
46 /* depending on noise in your env add here extra paths */
47 process.executable : (
48 "C:\\Windows\\*",
49 "C:\\Users\\Public\\*",
50 "C:\\Users\\Default\\*",
51 "C:\\Intel\\*",
52 "C:\\PerfLogs\\*",
53 "C:\\ProgramData\\*",
54 "\\Device\\Mup\\*",
55 "\\\\*"
56 ) and
57 /* add here FPs */
58 not process.executable : (
59 "?:\\Windows\\System32\\mstsc.exe",
60 "?:\\Windows\\SysWOW64\\mstsc.exe",
61 "?:\\Windows\\System32\\vmconnect.exe",
62 "?:\\Windows\\System32\\WindowsSandboxClient.exe",
63 "?:\\Windows\\System32\\hvsirdpclient.exe"
64 )
65'''
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1021"
72name = "Remote Services"
73reference = "https://attack.mitre.org/techniques/T1021/"
74[[rule.threat.technique.subtechnique]]
75id = "T1021.001"
76name = "Remote Desktop Protocol"
77reference = "https://attack.mitre.org/techniques/T1021/001/"
78
79
80
81[rule.threat.tactic]
82id = "TA0008"
83name = "Lateral Movement"
84reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Lateral Movement via Startup Folder
- Microsoft Exchange Server UM Writing Suspicious Files
- NullSessionPipe Registry Modification
- Potential Remote Desktop Shadowing Activity
- RDP Enabled via Registry