.RDP File Created by Outlook Process

 1title: .RDP File Created by Outlook Process
 2id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
 3related:
 4    - id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
 5      type: derived
 6status: experimental
 7description: |
 8    Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
 9    This can be used to detect spear-phishing campaigns that use RDP files as attachments.    
10references:
11    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
12    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
13    - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29
14author: Florian Roth
15date: 2024-11-01
16modified: 2024-11-03
17tags:
18    - attack.defense-evasion
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection_extension:
24        TargetFilename|endswith: '.rdp'
25    selection_location:
26        - TargetFilename|contains:
27              - '\AppData\Local\Packages\Microsoft.Outlook_' # New Outlook
28              - '\AppData\Local\Microsoft\Olk\Attachments\' # New Outlook
29        - TargetFilename|contains|all:
30              - '\AppData\Local\Microsoft\Windows\'
31              - '\Content.Outlook\'
32    condition: all of selection_*
33falsepositives:
34    - Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments
35level: high

References

• Rogue RDP Files Targeting Ukrainian Government, Military

  

  Hackers are trying to gain remote access to Ukrainian government and military systems leveraging RDP files disguised as popular network and security services.

  
  Read More

• Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog

  

  Since October 22, 2024, Microsoft Threat Intelligence has observed Russian threat actor Midnight Blizzard sending a series of highly targeted spear-phishing emails to individuals in government, academia, defense, non-governmental organizations, and other sectors. This activity is ongoing, and Microsoft will continue to investigate and provide updates as available. Based on our investigation of previous Midnight […]

  
  Read More

• Florian Roth on LinkedIn: #nobelium #midnightblizzard #yara | 12 comments

  

  Microsoft published a report on #Nobelium (aka #MidnightBlizzard) threat group conducting large-scale spear-phishing campaign using RDP files I'm sharing the… | 12 comments on LinkedIn

  
  Read More

Related rules

• .RDP File Created By Uncommon Application
• Binary Proxy Execution Via Dotnet-Trace.EXE
• DLL Names Used By SVR For GraphicalProton Backdoor
• Enable LM Hash Storage
• Forfiles.EXE Child Process Masquerading