Outbound RDP Connections Over Non-Standard Tools

Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.

Sigma rule (View on GitHub)

 1title: Outbound RDP Connections Over Non-Standard Tools
 2id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
 3status: test
 4description: |
 5    Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
 6    An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.    
 7references:
 8    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
 9author: Markus Neis
10date: 2019-05-15
11modified: 2024-02-09
12tags:
13    - attack.lateral-movement
14    - attack.t1021.001
15    - car.2013-07-002
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        DestinationPort: 3389
22        Initiated: 'true'
23    filter_main_mstsc:
24        Image:
25            - 'C:\Windows\System32\mstsc.exe'
26            - 'C:\Windows\SysWOW64\mstsc.exe'
27    filter_optional_dns:
28        # Note: https://github.com/SigmaHQ/sigma/pull/2249
29        Image: 'C:\Windows\System32\dns.exe'
30        SourcePort: 53
31        Protocol: 'udp'
32    filter_optional_avast:
33        Image|endswith:
34            - '\Avast Software\Avast\AvastSvc.exe'
35            - '\Avast\AvastSvc.exe'
36    filter_optional_sysinternals_rdcman:
37        Image|endswith: '\RDCMan.exe'
38    filter_optional_chrome:
39        Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
40    filter_optional_third_party:
41        Image|endswith:
42            - '\FSAssessment.exe'
43            - '\FSDiscovery.exe'
44            - '\MobaRTE.exe'
45            - '\mRemote.exe'
46            - '\mRemoteNG.exe'
47            - '\Passwordstate.exe'
48            - '\RemoteDesktopManager.exe'
49            - '\RemoteDesktopManager64.exe'
50            - '\RemoteDesktopManagerFree.exe'
51            - '\RSSensor.exe'
52            - '\RTS2App.exe'
53            - '\RTSApp.exe'
54            - '\spiceworks-finder.exe'
55            - '\Terminals.exe'
56            - '\ws_TunnelService.exe'
57    filter_optional_thor:
58        Image|endswith:
59            - '\thor.exe'
60            - '\thor64.exe'
61    filter_optional_splunk:
62        Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
63    filter_optional_sentinel_one:
64        Image|endswith: '\Ranger\SentinelRanger.exe'
65    filter_optional_firefox:
66        Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
67    filter_optional_tsplus:  # Some RAS
68        Image:
69            - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
70            - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
71    filter_optional_null:
72        Image: null
73    filter_optional_empty:
74        Image: ''
75    filter_optional_unknown:
76        Image: '<unknown process>'
77    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
78falsepositives:
79    - Third party RDP tools
80level: high

References

Related rules

to-top