sigmaDRL-1.1from SigmaHQ/sigma
Mstsc.EXE Execution From Uncommon Parent
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Quality
58
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml
title: Mstsc.EXE Execution From Uncommon Parent
id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
references:
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
- attack.lateral-movement
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Covers potential downloads/clicks from browsers
- '\brave.exe'
- '\CCleanerBrowser.exe'
- '\chrome.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\microsoftedge.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
- '\whale.exe'
# Covers potential downloads/clicks from email clients
- '\outlook.exe'
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
condition: all of selection_*
falsepositives:
- Unlikely
level: high