Suspicious Mstsc.EXE Execution With Local RDP File

 1title: Suspicious Mstsc.EXE Execution With Local RDP File
 2id: 6e22722b-dfb1-4508-a911-49ac840b40f8
 3status: test
 4description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
 5references:
 6    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
 7    - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/04/18
10tags:
11    - attack.command_and_control
12    - attack.t1219
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\mstsc.exe'
19        - OriginalFileName: 'mstsc.exe'
20    selection_extension:
21        CommandLine|endswith:
22            - '.rdp'
23            - '.rdp"'
24    selection_paths:
25        # Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env
26        CommandLine|contains:
27            - ':\Users\Public\'
28            - ':\Windows\System32\spool\drivers\color'
29            - ':\Windows\System32\Tasks_Migrated '
30            - ':\Windows\Tasks\'
31            - ':\Windows\Temp\'
32            - ':\Windows\Tracing\'
33            - '\AppData\Local\Temp\'
34            # - '\Desktop\' # Could be source of FP depending on the environment
35            - '\Downloads\' # Could be source of FP depending on the environment
36    condition: all of selection_*
37falsepositives:
38    - Likelihood is related to how often the paths are used in the environment
39level: high