sigmahighHunting

Outbound RDP Connections Over Non-Standard Tools

Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.

MITRE ATT&CK

T1021.001

lateral-movement

Detection Query

selection:
  DestinationPort: 3389
  Initiated: "true"
filter_main_mstsc:
  Image:
    - C:\Windows\System32\mstsc.exe
    - C:\Windows\SysWOW64\mstsc.exe
filter_optional_dns:
  Image: C:\Windows\System32\dns.exe
  SourcePort: 53
  Protocol: udp
filter_optional_avast:
  Image|endswith:
    - \Avast Software\Avast\AvastSvc.exe
    - \Avast\AvastSvc.exe
filter_optional_sysinternals_rdcman:
  Image|endswith: \RDCMan.exe
filter_optional_chrome:
  Image: C:\Program Files\Google\Chrome\Application\chrome.exe
filter_optional_third_party:
  Image|endswith:
    - \FSAssessment.exe
    - \FSDiscovery.exe
    - \MobaRTE.exe
    - \mRemote.exe
    - \mRemoteNG.exe
    - \Passwordstate.exe
    - \RemoteDesktopManager.exe
    - \RemoteDesktopManager64.exe
    - \RemoteDesktopManagerFree.exe
    - \RSSensor.exe
    - \RTS2App.exe
    - \RTSApp.exe
    - \spiceworks-finder.exe
    - \Terminals.exe
    - \ws_TunnelService.exe
filter_optional_thor:
  Image|endswith:
    - \thor.exe
    - \thor64.exe
filter_optional_splunk:
  Image|startswith: C:\Program Files\SplunkUniversalForwarder\bin\
filter_optional_sentinel_one:
  Image|endswith: \Ranger\SentinelRanger.exe
filter_optional_firefox:
  Image: C:\Program Files\Mozilla Firefox\firefox.exe
filter_optional_tsplus:
  Image:
    - C:\Program Files\TSplus\Java\bin\HTML5service.exe
    - C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe
filter_optional_null:
  Image: null
filter_optional_empty:
  Image: ""
filter_optional_unknown:
  Image: <unknown process>
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Markus Neis

Created

2019-05-15

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Tags

attack.lateral-movementattack.t1021.001car.2013-07-002

Raw Content

title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
    Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
    An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis
date: 2019-05-15
modified: 2024-02-09
tags:
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort: 3389
        Initiated: 'true'
    filter_main_mstsc:
        Image:
            - 'C:\Windows\System32\mstsc.exe'
            - 'C:\Windows\SysWOW64\mstsc.exe'
    filter_optional_dns:
        # Note: https://github.com/SigmaHQ/sigma/pull/2249
        Image: 'C:\Windows\System32\dns.exe'
        SourcePort: 53
        Protocol: 'udp'
    filter_optional_avast:
        Image|endswith:
            - '\Avast Software\Avast\AvastSvc.exe'
            - '\Avast\AvastSvc.exe'
    filter_optional_sysinternals_rdcman:
        Image|endswith: '\RDCMan.exe'
    filter_optional_chrome:
        Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_third_party:
        Image|endswith:
            - '\FSAssessment.exe'
            - '\FSDiscovery.exe'
            - '\MobaRTE.exe'
            - '\mRemote.exe'
            - '\mRemoteNG.exe'
            - '\Passwordstate.exe'
            - '\RemoteDesktopManager.exe'
            - '\RemoteDesktopManager64.exe'
            - '\RemoteDesktopManagerFree.exe'
            - '\RSSensor.exe'
            - '\RTS2App.exe'
            - '\RTSApp.exe'
            - '\spiceworks-finder.exe'
            - '\Terminals.exe'
            - '\ws_TunnelService.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_splunk:
        Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_optional_sentinel_one:
        Image|endswith: '\Ranger\SentinelRanger.exe'
    filter_optional_firefox:
        Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tsplus:  # Some RAS
        Image:
            - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
            - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
    filter_optional_null:
        Image: null
    filter_optional_empty:
        Image: ''
    filter_optional_unknown:
        Image: '<unknown process>'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Third party RDP tools
level: high