Suspicious Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Sigma rule (View on GitHub)
1title: Suspicious Mstsc.EXE Execution With Local RDP File 2id: 6e22722b-dfb1-4508-a911-49ac840b40f8 3status: experimental 4description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. 5references: 6 - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ 7 - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ 8author: Nasreddine Bencherchali (Nextron Systems) 9date: 2023/04/18 10tags: 11 - attack.command_and_control 12 - attack.t1219 13logsource: 14 category: process_creation 15 product: windows 16detection: 17 selection_img: 18 - Image|endswith: '\mstsc.exe' 19 - OriginalFileName: 'mstsc.exe' 20 selection_extension: 21 CommandLine|endswith: 22 - '.rdp' 23 - '.rdp"' 24 selection_paths: 25 # Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env 26 CommandLine|contains: 27 - ':\Users\Public\' 28 - ':\Windows\System32\spool\drivers\color' 29 - ':\Windows\System32\Tasks_Migrated ' 30 - ':\Windows\Tasks\' 31 - ':\Windows\Temp\' 32 - ':\Windows\Tracing\' 33 - '\AppData\Local\Temp\' 34 # - '\Desktop\' # Could be source of FP depending on the environment 35 - '\Downloads\' # Could be source of FP depending on the environment 36 condition: all of selection_* 37falsepositives: 38 - Likelihood is related to how often the paths are used in the environment 39level: high