Mstsc.EXE Execution With Local RDP File

Detects potential RDP connection via Mstsc using a local ".rdp" file

Sigma rule (View on GitHub)

 1title: Mstsc.EXE Execution With Local RDP File
 2id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
 3status: test
 4description: Detects potential RDP connection via Mstsc using a local ".rdp" file
 5references:
 6    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
 7    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 8author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
 9date: 2023-04-18
10modified: 2023-04-30
11tags:
12    - attack.command-and-control
13    - attack.t1219
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\mstsc.exe'
20        - OriginalFileName: 'mstsc.exe'
21    selection_cli:
22        CommandLine|endswith:
23            - '.rdp'
24            - '.rdp"'
25    filter_optional_wsl:
26        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
27        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
28    condition: all of selection_* and not 1 of filter_optional_*
29falsepositives:
30    - Likely with legitimate usage of ".rdp" files
31level: low

References

Related rules

to-top