RDP File Creation From Suspicious Application

Detects Rclone config file being created

Sigma rule (View on GitHub)

 1title: RDP File Creation From Suspicious Application
 2id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
 3status: test
 4description: Detects Rclone config file being created
 5references:
 6    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
 7    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-04-18
10tags:
11    - attack.defense-evasion
12logsource:
13    product: windows
14    category: file_event
15detection:
16    selection:
17        Image|endswith:
18            # Covers browsers
19            - '\brave.exe'
20            - '\CCleaner Browser\Application\CCleanerBrowser.exe'
21            - '\chromium.exe'
22            - '\firefox.exe'
23            - '\Google\Chrome\Application\chrome.exe'
24            - '\iexplore.exe'
25            - '\microsoftedge.exe'
26            - '\msedge.exe'
27            - '\Opera.exe'
28            - '\Vivaldi.exe'
29            - '\Whale.exe'
30            # Covers email clients
31            - '\Outlook.exe'
32            - '\RuntimeBroker.exe' # If the windows mail client is used
33            - '\Thunderbird.exe'
34            # Covers chat applications
35            - '\Discord.exe' # Should open the browser for download, but just in case.
36            - '\Keybase.exe'
37            - '\msteams.exe'
38            - '\Slack.exe'
39            - '\teams.exe'
40        TargetFilename|contains: '.rdp'
41    condition: selection
42falsepositives:
43    - Unknown
44level: high

References

Related rules

to-top