Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling tha
title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis
date: 2019-05-15
modified: 2024-02-09
tags:
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 3389
Initiated: 'true'
filter_main_mstsc:
Image:
- 'C:\Windows\System32\mstsc.exe'
- 'C:\Windows\SysWOW64\mstsc.exe'
filter_optional_dns:
# Note: https://github.com/SigmaHQ/sigma/pull/2249
Image: 'C:\Windows\System32\dns.exe'
SourcePort: 53
Protocol: 'udp'
filter_optional_avast:
Image|endswith:
- '\Avast Software\Avast\AvastSvc.exe'
- '\Avast\AvastSvc.exe'
filter_optional_sysinternals_rdcman:
Image|endswith: '\RDCMan.exe'
filter_optional_chrome:
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_third_party:
Image|endswith:
- '\FSAssessment.exe'
- '\FSDiscovery.exe'
- '\MobaRTE.exe'
- '\mRemote.exe'
- '\mRemoteNG.exe'
- '\Passwordstate.exe'
- '\RemoteDesktopManager.exe'
- '\RemoteDesktopManager64.exe'
- '\RemoteDesktopManagerFree.exe'
- '\RSSensor.exe'
- '\RTS2App.exe'
- '\RTSApp.exe'
- '\spiceworks-finder.exe'
- '\Terminals.exe'
- '\ws_TunnelService.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_splunk:
Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
filter_optional_sentinel_one:
Image|endswith: '\Ranger\SentinelRanger.exe'
filter_optional_firefox:
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tsplus: # Some RAS
Image:
- 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
- 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
filter_optional_null:
Image: null
filter_optional_empty:
Image: ''
filter_optional_unknown:
Image: '<unknown process>'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Third party RDP tools
level: high
imNetworkSession
| where (DstPortNumber == 3389 and NetworkDirection =~ "true") and (not(((SrcProcessName in~ ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")) or (DstProcessName in~ ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe"))))) and (not((((SrcProcessName =~ "C:\\Windows\\System32\\dns.exe" or DstProcessName =~ "C:\\Windows\\System32\\dns.exe") and SrcPortNumber == 53 and NetworkProtocol =~ "udp") or ((SrcProcessName endswith "\\Avast Software\\Avast\\AvastSvc.exe" or SrcProcessName endswith "\\Avast\\AvastSvc.exe") or (DstProcessName endswith "\\Avast Software\\Avast\\AvastSvc.exe" or DstProcessName endswith "\\Avast\\AvastSvc.exe")) or (SrcProcessName endswith "\\RDCMan.exe" or DstProcessName endswith "\\RDCMan.exe") or (SrcProcessName =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or DstProcessName =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe") or ((SrcProcessName endswith "\\FSAssessment.exe" or SrcProcessName endswith "\\FSDiscovery.exe" or SrcProcessName endswith "\\MobaRTE.exe" or SrcProcessName endswith "\\mRemote.exe" or SrcProcessName endswith "\\mRemoteNG.exe" or SrcProcessName endswith "\\Passwordstate.exe" or SrcProcessName endswith "\\RemoteDesktopManager.exe" or SrcProcessName endswith "\\RemoteDesktopManager64.exe" or SrcProcessName endswith "\\RemoteDesktopManagerFree.exe" or SrcProcessName endswith "\\RSSensor.exe" or SrcProcessName endswith "\\RTS2App.exe" or SrcProcessName endswith "\\RTSApp.exe" or SrcProcessName endswith "\\spiceworks-finder.exe" or SrcProcessName endswith "\\Terminals.exe" or SrcProcessName endswith "\\ws_TunnelService.exe") or (DstProcessName endswith "\\FSAssessment.exe" or DstProcessName endswith "\\FSDiscovery.exe" or DstProcessName endswith "\\MobaRTE.exe" or DstProcessName endswith "\\mRemote.exe" or DstProcessName endswith "\\mRemoteNG.exe" or DstProcessName endswith "\\Passwordstate.exe" or DstProcessName endswith "\\RemoteDesktopManager.exe" or DstProcessName endswith "\\RemoteDesktopManager64.exe" or DstProcessName endswith "\\RemoteDesktopManagerFree.exe" or DstProcessName endswith "\\RSSensor.exe" or DstProcessName endswith "\\RTS2App.exe" or DstProcessName endswith "\\RTSApp.exe" or DstProcessName endswith "\\spiceworks-finder.exe" or DstProcessName endswith "\\Terminals.exe" or DstProcessName endswith "\\ws_TunnelService.exe")) or ((SrcProcessName endswith "\\thor.exe" or SrcProcessName endswith "\\thor64.exe") or (DstProcessName endswith "\\thor.exe" or DstProcessName endswith "\\thor64.exe")) or (SrcProcessName startswith "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" or DstProcessName startswith "C:\\Program Files\\SplunkUniversalForwarder\\bin\\") or (SrcProcessName endswith "\\Ranger\\SentinelRanger.exe" or DstProcessName endswith "\\Ranger\\SentinelRanger.exe") or (SrcProcessName =~ "C:\\Program Files\\Mozilla Firefox\\firefox.exe" or DstProcessName =~ "C:\\Program Files\\Mozilla Firefox\\firefox.exe") or ((SrcProcessName in~ ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe")) or (DstProcessName in~ ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe"))) or (isnull(SrcProcessName) or isnull(DstProcessName)) or (SrcProcessName =~ "" or DstProcessName =~ "") or (SrcProcessName =~ "<unknown process>" or DstProcessName =~ "<unknown process>"))))| Sentinel Table | Notes |
|---|---|
imNetworkSession | Ensure this data connector is enabled |