RDP Over Reverse SSH Tunnel

calendar Mar 13, 2024 · attack.command_and_control attack.t1572 attack.lateral_movement attack.t1021.001 car.2013-07-002  ·
Share on: linkedin copy

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Sigma rule (View on GitHub)

 1title: RDP Over Reverse SSH Tunnel
 2id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
 3status: test
 4description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
 5references:
 6    - https://twitter.com/cyb3rops/status/1096842275437625346
 7author: Samir Bousseaden
 8date: 2019/02/16
 9modified: 2024/03/12
10tags:
11    - attack.command_and_control
12    - attack.t1572
13    - attack.lateral_movement
14    - attack.t1021.001
15    - car.2013-07-002
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection_img:
21        Image|endswith: '\svchost.exe'
22        Initiated: 'true'
23        SourcePort: 3389
24    selection_destination:
25        DestinationIp|cidr:
26            - '127.0.0.0/8'
27            - '::1/128'
28    condition: all of selection_*
29falsepositives:
30    - Unknown
31level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top