Mstsc.EXE Execution From Uncommon Parent
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Sigma rule (View on GitHub)
1title: Mstsc.EXE Execution From Uncommon Parent
2id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6
3status: test
4description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
5references:
6 - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
7 - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-04-18
10modified: 2023-04-18
11tags:
12 - attack.lateral-movement
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_parent:
18 ParentImage|endswith:
19 # Covers potential downloads/clicks from browsers
20 - '\brave.exe'
21 - '\CCleanerBrowser.exe'
22 - '\chrome.exe'
23 - '\chromium.exe'
24 - '\firefox.exe'
25 - '\iexplore.exe'
26 - '\microsoftedge.exe'
27 - '\msedge.exe'
28 - '\opera.exe'
29 - '\vivaldi.exe'
30 - '\whale.exe'
31 # Covers potential downloads/clicks from email clients
32 - '\outlook.exe'
33 selection_img:
34 - Image|endswith: '\mstsc.exe'
35 - OriginalFileName: 'mstsc.exe'
36 condition: all of selection_*
37falsepositives:
38 - Unlikely
39level: high
References
-
Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]
Read More -
Related rules
- APT31 Judgement Panda Activity
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Access To ADMIN$ Network Share