RDP to HTTP or HTTPS Target Ports

Aug 12, 2024 · attack.command-and-control attack.t1572 attack.lateral-movement attack.t1021.001 car.2013-07-002 ·

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Sigma rule (View on GitHub)

 1title: RDP to HTTP or HTTPS Target Ports
 2id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
 3status: test
 4description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
 5references:
 6    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
 7    - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
 8author: Florian Roth (Nextron Systems)
 9date: 2022-04-29
10modified: 2022-07-14
11tags:
12    - attack.command-and-control
13    - attack.t1572
14    - attack.lateral-movement
15    - attack.t1021.001
16    - car.2013-07-002
17logsource:
18    category: network_connection
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\svchost.exe'
23        Initiated: 'true'
24        SourcePort: 3389
25        DestinationPort:
26            - 80
27            - 443
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

x.com

Read More
Bypassing Network Restrictions Through RDP Tunneling | Mandiant | Google Cloud Blog

Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand...

Read More

RDP to HTTP or HTTPS Target Ports

Sigma rule (View on GitHub)

References

x.com

Bypassing Network Restrictions Through RDP Tunneling | Mandiant | Google Cloud Blog

Related rules