RDP Over Reverse SSH Tunnel

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Sigma rule (View on GitHub)

 1title: RDP Over Reverse SSH Tunnel
 2id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
 3status: test
 4description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
 5references:
 6    - https://twitter.com/cyb3rops/status/1096842275437625346
 7author: Samir Bousseaden
 8date: 2019/02/16
 9modified: 2022/10/09
10tags:
11    - attack.command_and_control
12    - attack.t1572
13    - attack.lateral_movement
14    - attack.t1021.001
15    - car.2013-07-002
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection_img:
21        Image|endswith: '\svchost.exe'
22        Initiated: 'true'
23        SourcePort: 3389
24    selection_destination:
25        - DestinationIp|startswith: '127.'
26        - DestinationIp: '::1'
27    condition: all of selection_*
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top