Remote Administration toolkit enable RDP

Hunt Hypothesis

The hypothesis is that an adversary may be using a remote administration toolkit to enable RDP as part of establishing persistent remote access to a target system. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence mechanisms that could indicate a deeper compromise.

YARA Rule

rule rat_rdp {
    meta:
        author = "x0r"
        description = "Remote Administration toolkit enable RDP"
	version = "0.1"
    strings:
        $p1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" nocase
        $p2 = "software\\microsoft\\windows nt\\currentversion\\terminal server" nocase
        $p3 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" nocase
        $r1 = "EnableAdminTSRemote"
        $c1 = "net start termservice"
        $c2 = "sc config termservice start"
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate RDP Access for Remote Administration
  Description: A system administrator uses Remote Desktop Protocol (RDP) to remotely manage a server.
  Filter/Exclusion: Check for the presence of known admin credentials or IP addresses from the internal network. Use a filter like:

  src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

• Scenario: Scheduled RDP Session for Patching or Updates
  Description: A scheduled job runs an RDP session to apply system updates or patches.
  Filter/Exclusion: Filter by process name or command line that includes schtasks or task scheduler. Use a filter like:

  process.name = "schtasks.exe" OR command_line CONTAINS "schtasks"

• Scenario: Remote PowerShell Session Using RDP
  Description: An admin uses RDP to connect to a machine and then runs PowerShell scripts for configuration or monitoring.
  Filter/Exclusion: Check for the presence of PowerShell execution in the session, or filter by user account with administrative privileges. Use a filter like:

  user_account = "admin_user" OR command_line CONTAINS "powershell.exe"

• Scenario: RDP Access for Application Deployment
  Description: A DevOps team uses RDP to deploy an application to a server.
  Filter/Exclusion: Filter by known deployment tools or IP ranges used for CI/CD pipelines. Use a filter like:

  src_ip IN (192.168.10.0/24) OR process.name = "deploytool