Suspicious Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Sigma rule (View on GitHub)
1title: Suspicious Mstsc.EXE Execution With Local RDP File
2id: 6e22722b-dfb1-4508-a911-49ac840b40f8
3status: test
4description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
5references:
6 - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
7 - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-04-18
10tags:
11 - attack.command-and-control
12 - attack.t1219
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\mstsc.exe'
19 - OriginalFileName: 'mstsc.exe'
20 selection_extension:
21 CommandLine|endswith:
22 - '.rdp'
23 - '.rdp"'
24 selection_paths:
25 # Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env
26 CommandLine|contains:
27 - ':\Users\Public\'
28 - ':\Windows\System32\spool\drivers\color'
29 - ':\Windows\System32\Tasks_Migrated '
30 - ':\Windows\Tasks\'
31 - ':\Windows\Temp\'
32 - ':\Windows\Tracing\'
33 - '\AppData\Local\Temp\'
34 # - '\Desktop\' # Could be source of FP depending on the environment
35 - '\Downloads\' # Could be source of FP depending on the environment
36 condition: all of selection_*
37falsepositives:
38 - Likelihood is related to how often the paths are used in the environment
39level: high
References
Related rules
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators