← Back to SOC feed Coverage →

RDP Over Reverse SSH Tunnel

sigma HIGH SigmaHQ
T1572T1021.001
imNetworkSession
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-05T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Detection Rule

Sigma (Original)

title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
    - https://twitter.com/cyb3rops/status/1096842275437625346
author: Samir Bousseaden
date: 2019-02-16
modified: 2024-03-12
tags:
    - attack.command-and-control
    - attack.t1572
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection_img:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
    selection_destination:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '::1/128'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imNetworkSession
| where ((SrcProcessName endswith "\\svchost.exe" or DstProcessName endswith "\\svchost.exe") and NetworkDirection =~ "true" and SrcPortNumber == 3389) and (ipv4_is_in_range(DstIpAddr, "127.0.0.0/8") or ipv4_is_in_range(DstIpAddr, "::1/128"))

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml