Outbound RDP Connections Over Non-Standard Tools
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
Sigma rule (View on GitHub)
1title: Outbound RDP Connections Over Non-Standard Tools
2id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
3status: test
4description: |
5 Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
6 An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
7references:
8 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
9author: Markus Neis
10date: 2019-05-15
11modified: 2024-02-09
12tags:
13 - attack.lateral-movement
14 - attack.t1021.001
15 - car.2013-07-002
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection:
21 DestinationPort: 3389
22 Initiated: 'true'
23 filter_main_mstsc:
24 Image:
25 - 'C:\Windows\System32\mstsc.exe'
26 - 'C:\Windows\SysWOW64\mstsc.exe'
27 filter_optional_dns:
28 # Note: https://github.com/SigmaHQ/sigma/pull/2249
29 Image: 'C:\Windows\System32\dns.exe'
30 SourcePort: 53
31 Protocol: 'udp'
32 filter_optional_avast:
33 Image|endswith:
34 - '\Avast Software\Avast\AvastSvc.exe'
35 - '\Avast\AvastSvc.exe'
36 filter_optional_sysinternals_rdcman:
37 Image|endswith: '\RDCMan.exe'
38 filter_optional_chrome:
39 Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
40 filter_optional_third_party:
41 Image|endswith:
42 - '\FSAssessment.exe'
43 - '\FSDiscovery.exe'
44 - '\MobaRTE.exe'
45 - '\mRemote.exe'
46 - '\mRemoteNG.exe'
47 - '\Passwordstate.exe'
48 - '\RemoteDesktopManager.exe'
49 - '\RemoteDesktopManager64.exe'
50 - '\RemoteDesktopManagerFree.exe'
51 - '\RSSensor.exe'
52 - '\RTS2App.exe'
53 - '\RTSApp.exe'
54 - '\spiceworks-finder.exe'
55 - '\Terminals.exe'
56 - '\ws_TunnelService.exe'
57 filter_optional_thor:
58 Image|endswith:
59 - '\thor.exe'
60 - '\thor64.exe'
61 filter_optional_splunk:
62 Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
63 filter_optional_sentinel_one:
64 Image|endswith: '\Ranger\SentinelRanger.exe'
65 filter_optional_firefox:
66 Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
67 filter_optional_tsplus: # Some RAS
68 Image:
69 - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
70 - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
71 filter_optional_null:
72 Image: null
73 filter_optional_empty:
74 Image: ''
75 filter_optional_unknown:
76 Image: '<unknown process>'
77 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
78falsepositives:
79 - Third party RDP tools
80level: high
References
Related rules
- RDP Login from Localhost
- RDP Over Reverse SSH Tunnel
- RDP over Reverse SSH Tunnel WFP
- RDP to HTTP or HTTPS Target Ports
- Suspicious RDP Redirect Using TSCON