RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Sigma rule (View on GitHub)
1title: RDP to HTTP or HTTPS Target Ports
2id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
3status: test
4description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
5references:
6 - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
7 - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
8author: Florian Roth (Nextron Systems)
9date: 2022/04/29
10modified: 2022/07/14
11tags:
12 - attack.command_and_control
13 - attack.t1572
14 - attack.lateral_movement
15 - attack.t1021.001
16 - car.2013-07-002
17logsource:
18 category: network_connection
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\svchost.exe'
23 Initiated: 'true'
24 SourcePort: 3389
25 DestinationPort:
26 - 80
27 - 443
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
-
-
Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand...
Read More
Related rules
- RDP over Reverse SSH Tunnel WFP
- Suspicious Plink Port Forwarding
- Suspicious RDP Redirect Using TSCON
- RDP Login from Localhost
- Communication To Ngrok Tunneling Service - Linux