.RDP File Created By Uncommon Application

 1title: .RDP File Created By Uncommon Application
 2id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
 3related:
 4    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
 5      type: derived
 6status: test
 7description: |
 8        Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
 9references:
10    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
11    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023-04-18
14modified: 2024-11-01
15tags:
16    - attack.defense-evasion
17logsource:
18    product: windows
19    category: file_event
20detection:
21    selection:
22        TargetFilename|endswith: '.rdp'
23        Image|endswith:
24            # Covers browsers
25            - '\brave.exe'
26            - '\CCleaner Browser\Application\CCleanerBrowser.exe'
27            - '\chromium.exe'
28            - '\firefox.exe'
29            - '\Google\Chrome\Application\chrome.exe'
30            - '\iexplore.exe'
31            - '\microsoftedge.exe'
32            - '\msedge.exe'
33            - '\Opera.exe'
34            - '\Vivaldi.exe'
35            - '\Whale.exe'
36            # Covers email clients
37            - '\olk.exe' # Outlook
38            - '\Outlook.exe'
39            - '\RuntimeBroker.exe' # If the windows mail client is used
40            - '\Thunderbird.exe'
41            # Covers chat applications
42            - '\Discord.exe' # Should open the browser for download, but just in case.
43            - '\Keybase.exe'
44            - '\msteams.exe'
45            - '\Slack.exe'
46            - '\teams.exe'
47    condition: selection
48falsepositives:
49    - Unknown
50level: high