Mstsc.EXE Execution With Local RDP File

 1title: Mstsc.EXE Execution With Local RDP File
 2id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
 3status: test
 4description: Detects potential RDP connection via Mstsc using a local ".rdp" file
 5references:
 6    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
 7    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 8author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
 9date: 2023-04-18
10modified: 2023-04-30
11tags:
12    - attack.command-and-control
13    - attack.t1219
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\mstsc.exe'
20        - OriginalFileName: 'mstsc.exe'
21    selection_cli:
22        CommandLine|endswith:
23            - '.rdp'
24            - '.rdp"'
25    filter_optional_wsl:
26        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
27        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
28    condition: all of selection_* and not 1 of filter_optional_*
29falsepositives:
30    - Likely with legitimate usage of ".rdp" files
31level: low

References

• Rogue RDP – Revisiting Initial Access Methods - Black Hills Information Security

  

  Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]

  
  Read More

• Detecting Rogue RDP

  

  You won't believe what Sysmon missed with this new initial access technique!

  
  Read More

Related rules

• Anydesk Temporary Artefact
• DNS Query To AzureWebsites.NET By Non-Browser Process
• GoToAssist Temporary Installation Artefact
• HackTool - Inveigh Execution Artefacts
• HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators