← Back to Explore
sublimemediumRule
Attachment: RDP connection file
Recursively scans files and archives to detect RDP connection files. Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.
Detection Query
type.inbound
and (
any(attachments, .file_extension =~ "rdp")
or (
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "rdp")
)
)
)
Author
ajpc500
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Attack surface reduction
Raw Content
name: "Attachment: RDP connection file"
description: |
Recursively scans files and archives to detect RDP connection files.
Coercing a target user into connecting to an attacker-owned RDP server can expose elements of their host and potentially lead to compromise.
references:
- "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/"
- "https://delivr.to/payloads?id=64f2d144-0060-472e-989c-3b331f6fb095"
type: "rule"
authors:
- twitter: "ajpc500"
severity: "medium"
source: |
type.inbound
and (
any(attachments, .file_extension =~ "rdp")
or (
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "rdp")
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
- "Credential Phishing"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "2409a422-4116-5a40-b929-c1b47ed5c1e5"