.RDP File Created by Outlook Process
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.
Sigma rule (View on GitHub)
1title: .RDP File Created by Outlook Process
2id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
3related:
4 - id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
5 type: derived
6status: experimental
7description: |
8 Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
9 This can be used to detect spear-phishing campaigns that use RDP files as attachments.
10references:
11 - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
12 - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
13 - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29
14author: Florian Roth
15date: 2024-11-01
16modified: 2024-11-03
17tags:
18 - attack.defense-evasion
19logsource:
20 product: windows
21 category: file_event
22detection:
23 selection_extension:
24 TargetFilename|endswith: '.rdp'
25 selection_location:
26 - TargetFilename|contains:
27 - '\AppData\Local\Packages\Microsoft.Outlook_' # New Outlook
28 - '\AppData\Local\Microsoft\Olk\Attachments\' # New Outlook
29 - TargetFilename|contains|all:
30 - '\AppData\Local\Microsoft\Windows\'
31 - '\Content.Outlook\'
32 condition: all of selection_*
33falsepositives:
34 - Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments
35level: high
References
Related rules
- .RDP File Created By Uncommon Application
- Binary Proxy Execution Via Dotnet-Trace.EXE
- DLL Names Used By SVR For GraphicalProton Backdoor
- Enable LM Hash Storage
- Forfiles.EXE Child Process Masquerading