RDP over Reverse SSH Tunnel WFP

Detects svchost hosting RDP termsvcs communicating with the loopback address

Sigma rule (View on GitHub)

 1title: RDP over Reverse SSH Tunnel WFP
 2id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
 3status: test
 4description: Detects svchost hosting RDP termsvcs communicating with the loopback address
 5references:
 6    - https://twitter.com/SBousseaden/status/1096148422984384514
 7    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
 8author: Samir Bousseaden
 9date: 2019-02-16
10modified: 2022-09-02
11tags:
12    - attack.defense-evasion
13    - attack.command-and-control
14    - attack.lateral-movement
15    - attack.t1090.001
16    - attack.t1090.002
17    - attack.t1021.001
18    - car.2013-07-002
19logsource:
20    product: windows
21    service: security
22detection:
23    selection:
24        EventID: 5156
25    sourceRDP:
26        SourcePort: 3389
27        DestAddress:
28            - '127.*'
29            - '::1'
30    destinationRDP:
31        DestPort: 3389
32        SourceAddress:
33            - '127.*'
34            - '::1'
35    filter_app_container:
36        FilterOrigin: 'AppContainer Loopback'
37    filter_thor:  # checking BlueKeep vulnerability
38        Application|endswith:
39            - '\thor.exe'
40            - '\thor64.exe'
41    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
42falsepositives:
43    - Programs that connect locally to the RDP port
44level: high

References

Related rules

to-top