RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
Sigma rule (View on GitHub)
1title: RDP over Reverse SSH Tunnel WFP
2id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
3status: test
4description: Detects svchost hosting RDP termsvcs communicating with the loopback address
5references:
6 - https://twitter.com/SBousseaden/status/1096148422984384514
7 - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
8author: Samir Bousseaden
9date: 2019/02/16
10modified: 2022/09/02
11tags:
12 - attack.defense_evasion
13 - attack.command_and_control
14 - attack.lateral_movement
15 - attack.t1090.001
16 - attack.t1090.002
17 - attack.t1021.001
18 - car.2013-07-002
19logsource:
20 product: windows
21 service: security
22detection:
23 selection:
24 EventID: 5156
25 sourceRDP:
26 SourcePort: 3389
27 DestAddress:
28 - '127.*'
29 - '::1'
30 destinationRDP:
31 DestPort: 3389
32 SourceAddress:
33 - '127.*'
34 - '::1'
35 filter_app_container:
36 FilterOrigin: 'AppContainer Loopback'
37 filter_thor: # checking BlueKeep vulnerability
38 Application|endswith:
39 - '\thor.exe'
40 - '\thor64.exe'
41 condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
42falsepositives:
43 - Programs that connect locally to the RDP port
44level: high
References
-
-
Windows Events Attack Samples. Contribute to sbousseaden/EVTX-ATTACK-SAMPLES development by creating an account on GitHub.
Read More
Related rules
- RDP to HTTP or HTTPS Target Ports
- Suspicious RDP Redirect Using TSCON
- RDP Login from Localhost
- RDP Port Forwarding Rule Added Via Netsh.EXE
- Suspicious Plink Port Forwarding