Mstsc.EXE Execution With Local RDP File

 1title: Mstsc.EXE Execution With Local RDP File
 2id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
 3status: test
 4description: Detects potential RDP connection via Mstsc using a local ".rdp" file
 5references:
 6    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
 7    - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 8author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
 9date: 2023/04/18
10modified: 2023/04/30
11tags:
12    - attack.command_and_control
13    - attack.t1219
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\mstsc.exe'
20        - OriginalFileName: 'mstsc.exe'
21    selection_cli:
22        CommandLine|endswith:
23            - '.rdp'
24            - '.rdp"'
25    filter_optional_wsl:
26        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
27        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
28    condition: all of selection_* and not 1 of filter_optional_*
29falsepositives:
30    - Likely with legitimate usage of ".rdp" files
31level: low

References

• Rogue RDP – Revisiting Initial Access Methods - Black Hills Information Security

  

  Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]

  
  Read More

• https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

  
  Read More

Related rules

• Suspicious Mstsc.EXE Execution With Local RDP File
• Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
• Remote Access Tool - Simple Help Execution
• Hijack Legit RDP Session to Move Laterally
• Potential SocGholish Second Stage C2 DNS Query