RDP over Reverse SSH Tunnel WFP

 1title: RDP over Reverse SSH Tunnel WFP
 2id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
 3status: test
 4description: Detects svchost hosting RDP termsvcs communicating with the loopback address
 5references:
 6    - https://twitter.com/SBousseaden/status/1096148422984384514
 7    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
 8author: Samir Bousseaden
 9date: 2019-02-16
10modified: 2022-09-02
11tags:
12    - attack.command-and-control
13    - attack.lateral-movement
14    - attack.t1090.001
15    - attack.t1090.002
16    - attack.t1021.001
17    - car.2013-07-002
18logsource:
19    product: windows
20    service: security
21detection:
22    selection:
23        EventID: 5156
24    sourceRDP:
25        SourcePort: 3389
26        DestAddress:
27            - '127.*'
28            - '::1'
29    destinationRDP:
30        DestPort: 3389
31        SourceAddress:
32            - '127.*'
33            - '::1'
34    filter_app_container:
35        FilterOrigin: 'AppContainer Loopback'
36    filter_thor:  # checking BlueKeep vulnerability
37        Application|endswith:
38            - '\thor.exe'
39            - '\thor64.exe'
40    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
41falsepositives:
42    - Programs that connect locally to the RDP port
43level: high