Adversaries may create RDP files using uncommon applications to establish unauthorized remote access, bypassing standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or persistence tactics that evade traditional monitoring.
Detection Rule
title: .RDP File Created By Uncommon Application
id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: derived
status: test
description: |
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
references:
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
modified: 2024-11-01
tags:
- attack.defense-evasion
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.rdp'
Image|endswith:
# Covers browsers
- '\brave.exe'
- '\CCleaner Browser\Application\CCleanerBrowser.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\Google\Chrome\Application\chrome.exe'
- '\iexplore.exe'
- '\microsoftedge.exe'
- '\msedge.exe'
- '\Opera.exe'
- '\Vivaldi.exe'
- '\Whale.exe'
# Covers email clients
- '\olk.exe' # Outlook
- '\Outlook.exe'
- '\RuntimeBroker.exe' # If the windows mail client is used
- '\Thunderbird.exe'
# Covers chat applications
- '\Discord.exe' # Should open the browser for download, but just in case.
- '\Keybase.exe'
- '\msteams.exe'
- '\Slack.exe'
- '\teams.exe'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith ".rdp" and (TargetFilePath endswith "\\brave.exe" or TargetFilePath endswith "\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or TargetFilePath endswith "\\chromium.exe" or TargetFilePath endswith "\\firefox.exe" or TargetFilePath endswith "\\Google\\Chrome\\Application\\chrome.exe" or TargetFilePath endswith "\\iexplore.exe" or TargetFilePath endswith "\\microsoftedge.exe" or TargetFilePath endswith "\\msedge.exe" or TargetFilePath endswith "\\Opera.exe" or TargetFilePath endswith "\\Vivaldi.exe" or TargetFilePath endswith "\\Whale.exe" or TargetFilePath endswith "\\olk.exe" or TargetFilePath endswith "\\Outlook.exe" or TargetFilePath endswith "\\RuntimeBroker.exe" or TargetFilePath endswith "\\Thunderbird.exe" or TargetFilePath endswith "\\Discord.exe" or TargetFilePath endswith "\\Keybase.exe" or TargetFilePath endswith "\\msteams.exe" or TargetFilePath endswith "\\Slack.exe" or TargetFilePath endswith "\\teams.exe")Scenario: A system administrator creates an .rdp file manually using Microsoft Remote Desktop Connection to configure a remote desktop session.
Filter/Exclusion: Exclude files created by the mstsc.exe process or files with a parent process matching msrdp.exe or mstsc.exe.
Scenario: A scheduled task runs a script that generates an .rdp file as part of a remote access setup, such as deploying a virtual machine or setting up a remote workstation.
Filter/Exclusion: Exclude files created by scheduled tasks with a specific name or by processes associated with the task scheduler (e.g., schtasks.exe).
Scenario: A configuration management tool like Ansible or Puppet generates an .rdp file during a deployment to configure remote access settings.
Filter/Exclusion: Exclude files created by processes associated with the configuration tool (e.g., ansible.exe, puppet.exe).
Scenario: A backup or archive tool such as Veeam or Acronis creates an .rdp file as part of a data export or migration process.
Filter/Exclusion: Exclude files created by processes associated with the backup tool (e.g., veeam.exe, acronis.exe).
Scenario: A developer uses a tool like PowerShell or Python to generate an .rdp file for testing or automation purposes.
Filter/Exclusion: Exclude files created by scripts or processes with known developer tools (e.g., powershell.exe, python.exe) or by users in the development group.