← Back to Explore
sigmahighHunting
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
Detection Query
selection:
EventID: 5156
sourceRDP:
SourcePort: 3389
DestAddress:
- 127.*
- ::1
destinationRDP:
DestPort: 3389
SourceAddress:
- 127.*
- ::1
filter_app_container:
FilterOrigin: AppContainer Loopback
filter_thor:
Application|endswith:
- \thor.exe
- \thor64.exe
condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
Author
Samir Bousseaden
Created
2019-02-16
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.defense-evasionattack.command-and-controlattack.lateral-movementattack.t1090.001attack.t1090.002attack.t1021.001car.2013-07-002
Raw Content
title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.lateral-movement
- attack.t1090.001
- attack.t1090.002
- attack.t1021.001
- car.2013-07-002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
sourceRDP:
SourcePort: 3389
DestAddress:
- '127.*'
- '::1'
destinationRDP:
DestPort: 3389
SourceAddress:
- '127.*'
- '::1'
filter_app_container:
FilterOrigin: 'AppContainer Loopback'
filter_thor: # checking BlueKeep vulnerability
Application|endswith:
- '\thor.exe'
- '\thor64.exe'
condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
- Programs that connect locally to the RDP port
level: high