false positives may be present based on administrators using rdp files for legitimate purposes. filter as needed.

Techniques

Sample rules

Windows RDP File Execution

source: splunk
technicques:
- T1598.002
- T1021.001

Description

The following analytic detects when a Windows RDP client attempts to execute an RDP file from a temporary directory, downloads directory, or Outlook directories. This detection is significant as it can indicate an attempt for an adversary to deliver a .rdp file, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network.

Detection logic


| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*\\AppData\\Local\\Temp\\*", "*\\Olk\\Attachments\\*", "*\\AppData\\Local\\Microsoft\\Outlook\\*", "*\\Content.Outlook\\*", "*\\Downloads\\*") AND Processes.process="*.rdp*" by Processes.process Processes.process_name Processes.user Processes.dest Processes.parent_process_name Processes.parent_process 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| eval execution_type=case( match(process, "\\\\Temp\\\\.*\\.(zip
|7z
|rar
|cab
|tgz
|gz
|tar
|iso
|img
|vhd
|vhdx).*\\.*\\.rdp"), "temp_archive_execution", match(process, "\\\\Downloads\\\\"), "downloads_execution", match(process, "\\\\Temp\\\\"), "temp_execution", match(process, "\\\\Microsoft\\\\Outlook\\\\"), "outlook_execution", match(process, "\\\\Olk\\\\Attachments\\\\"), "outlook_execution", match(process, "\\\\Content.Outlook\\\\"), "outlook_execution", true(), "other" ), risk_score=case( execution_type="temp_archive_execution", "Critical", execution_type IN ("temp_execution", "outlook_execution"), "High", execution_type="downloads_execution", "Medium", true(), "Low" ), risk_reason=case( execution_type="temp_archive_execution", "RDP file executed directly from archive/disk image in Temp directory", execution_type="downloads_execution", "RDP file executed from Downloads directory (Could be legitimate admin activity)", execution_type="temp_execution", "RDP file executed from Temp directory", execution_type="outlook_execution", "RDP file executed from Outlook directories", true(), "Standard RDP file execution" ) 
| sort - risk_score 
| rename process_name as "RDP Process", parent_process_name as "Parent Process", process as "Command Line", user as "User", execution_type as "Execution Context", risk_score as "Risk Level", risk_reason as "Risk Details" 
| fields - parent_process 
| `windows_rdp_file_execution_filter`