Mstsc.EXE Execution From Uncommon Parent
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Sigma rule (View on GitHub)
1title: Mstsc.EXE Execution From Uncommon Parent
2id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6
3status: test
4description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
5references:
6 - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
7 - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-04-18
10tags:
11 - attack.lateral-movement
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_parent:
17 ParentImage|endswith:
18 # Covers potential downloads/clicks from browsers
19 - '\brave.exe'
20 - '\CCleanerBrowser.exe'
21 - '\chrome.exe'
22 - '\chromium.exe'
23 - '\firefox.exe'
24 - '\iexplore.exe'
25 - '\microsoftedge.exe'
26 - '\msedge.exe'
27 - '\opera.exe'
28 - '\vivaldi.exe'
29 - '\whale.exe'
30 # Covers potential downloads/clicks from email clients
31 - '\outlook.exe'
32 selection_img:
33 - Image|endswith: '\mstsc.exe'
34 - OriginalFileName: 'mstsc.exe'
35 condition: all of selection_*
36falsepositives:
37 - Unlikely
38level: high
References
-
Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]
Read More -
Related rules
- Possible Exploitation of Exchange RCE CVE-2021-42321
- Publicly Accessible RDP Service
- Remote Encrypting File System Abuse
- Remote File Copy
- Remote Printing Abuse for Lateral Movement