RDP Over Reverse SSH Tunnel
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Sigma rule (View on GitHub)
1title: RDP Over Reverse SSH Tunnel
2id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
3status: test
4description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
5references:
6 - https://twitter.com/cyb3rops/status/1096842275437625346
7author: Samir Bousseaden
8date: 2019-02-16
9modified: 2024-03-12
10tags:
11 - attack.command-and-control
12 - attack.t1572
13 - attack.lateral-movement
14 - attack.t1021.001
15 - car.2013-07-002
16logsource:
17 category: network_connection
18 product: windows
19detection:
20 selection_img:
21 Image|endswith: '\svchost.exe'
22 Initiated: 'true'
23 SourcePort: 3389
24 selection_destination:
25 DestinationIp|cidr:
26 - '127.0.0.0/8'
27 - '::1/128'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: high
References
Related rules
- RDP to HTTP or HTTPS Target Ports
- Port Forwarding Activity Via SSH.EXE
- RDP over Reverse SSH Tunnel WFP
- Suspicious Plink Port Forwarding
- Outbound RDP Connections Over Non-Standard Tools