New Remote Desktop Connection Initiated Via Mstsc.EXE

 1title: New Remote Desktop Connection Initiated Via Mstsc.EXE
 2id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
 3status: test
 4description: |
 5    Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
 6    Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 9    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
10author: frack113
11date: 2022/01/07
12modified: 2023/02/03
13tags:
14    - attack.lateral_movement
15    - attack.t1021.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\mstsc.exe'
22        - OriginalFileName: 'mstsc.exe'
23    selection_cli:
24        CommandLine|contains: ' /v:'
25    filter_optional_wsl:
26        # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
27        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
28        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
29    condition: all of selection_* and not 1 of filter_optional_*
30falsepositives:
31    - WSL (Windows Sub System For Linux)
32level: medium

References

• atomic-red-team/atomics/T1021.001/T1021.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• mstsc

  

  Reference article for the mstsc command, which creates connections to Remote Desktop Session Host servers or other remote computers and edits an existing Remote Desktop Connection (.rdp) configuration file

  
  Read More

Related rules

• Hermetic Wiper TG Process Patterns
• RDP over Reverse SSH Tunnel WFP
• RDP to HTTP or HTTPS Target Ports
• Suspicious RDP Redirect Using TSCON
• RDP Login from Localhost