Mstsc.EXE Execution From Uncommon Parent

 1title: Mstsc.EXE Execution From Uncommon Parent
 2id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6
 3status: test
 4description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
 5references:
 6    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
 7    - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/04/18
10modified: 2023/04/18
11tags:
12    - attack.lateral_movement
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_parent:
18        ParentImage|endswith:
19            # Covers potential downloads/clicks from browsers
20            - '\brave.exe'
21            - '\CCleanerBrowser.exe'
22            - '\chrome.exe'
23            - '\chromium.exe'
24            - '\firefox.exe'
25            - '\iexplore.exe'
26            - '\microsoftedge.exe'
27            - '\msedge.exe'
28            - '\opera.exe'
29            - '\vivaldi.exe'
30            - '\whale.exe'
31            # Covers potential downloads/clicks from email clients
32            - '\outlook.exe'
33    selection_img:
34        - Image|endswith: '\mstsc.exe'
35        - OriginalFileName: 'mstsc.exe'
36    condition: all of selection_*
37falsepositives:
38    - Unlikely
39level: high

References

• Rogue RDP – Revisiting Initial Access Methods - Black Hills Information Security

  

  Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red […]

  
  Read More

• https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/

  
  Read More

Related rules

• HackTool - Rubeus Execution - ScriptBlock
• AWS Console GetSigninToken Potential Abuse
• Password Provided In Command Line Of Net.EXE
• Bitbucket Global SSH Settings Changed
• User Added to Remote Desktop Users Group