← Back to Explore
sigmahighHunting
Mstsc.EXE Execution From Uncommon Parent
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Detection Query
selection_parent:
ParentImage|endswith:
- \brave.exe
- \CCleanerBrowser.exe
- \chrome.exe
- \chromium.exe
- \firefox.exe
- \iexplore.exe
- \microsoftedge.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
- \whale.exe
- \outlook.exe
selection_img:
- Image|endswith: \mstsc.exe
- OriginalFileName: mstsc.exe
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-04-18
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.lateral-movement
Raw Content
title: Mstsc.EXE Execution From Uncommon Parent
id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
references:
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
- attack.lateral-movement
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Covers potential downloads/clicks from browsers
- '\brave.exe'
- '\CCleanerBrowser.exe'
- '\chrome.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\microsoftedge.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
- '\whale.exe'
# Covers potential downloads/clicks from email clients
- '\outlook.exe'
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
condition: all of selection_*
falsepositives:
- Unlikely
level: high