RDP File Creation From Suspicious Application
Detects Rclone config file being created
Sigma rule (View on GitHub)
1title: RDP File Creation From Suspicious Application
2id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
3status: test
4description: Detects Rclone config file being created
5references:
6 - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
7 - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-04-18
10tags:
11 - attack.defense-evasion
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 Image|endswith:
18 # Covers browsers
19 - '\brave.exe'
20 - '\CCleaner Browser\Application\CCleanerBrowser.exe'
21 - '\chromium.exe'
22 - '\firefox.exe'
23 - '\Google\Chrome\Application\chrome.exe'
24 - '\iexplore.exe'
25 - '\microsoftedge.exe'
26 - '\msedge.exe'
27 - '\Opera.exe'
28 - '\Vivaldi.exe'
29 - '\Whale.exe'
30 # Covers email clients
31 - '\Outlook.exe'
32 - '\RuntimeBroker.exe' # If the windows mail client is used
33 - '\Thunderbird.exe'
34 # Covers chat applications
35 - '\Discord.exe' # Should open the browser for download, but just in case.
36 - '\Keybase.exe'
37 - '\msteams.exe'
38 - '\Slack.exe'
39 - '\teams.exe'
40 TargetFilename|contains: '.rdp'
41 condition: selection
42falsepositives:
43 - Unknown
44level: high
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity