New Remote Desktop Connection Initiated Via Mstsc.EXE

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Sigma rule (View on GitHub)

 1title: New Remote Desktop Connection Initiated Via Mstsc.EXE
 2id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
 3status: test
 4description: |
 5    Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
 6    Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
10author: frack113
11date: 2022-01-07
12modified: 2024-06-04
13tags:
14    - attack.lateral-movement
15    - attack.t1021.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\mstsc.exe'
22        - OriginalFileName: 'mstsc.exe'
23    selection_cli:
24        CommandLine|contains|windash: ' /v:'
25    filter_optional_wsl:
26        # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
27        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
28        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
29    condition: all of selection_* and not 1 of filter_optional_*
30falsepositives:
31    - WSL (Windows Sub System For Linux)
32level: medium

References

Related rules

to-top