Techniques
Sample rules
Windows Process Execution From RDP Share
- source: splunk
- technicques:
- T1021.001
- T1105
- T1059
Description
The following analytic identifies process executions originating from RDP shares on Windows endpoints. Remote Desktop Protocol (RDP) shares, typically accessed via the “tsclient” path, allow users to share files between their local machine and a remote desktop session. However, threat actors may exploit RDP shares to execute malicious processes or transfer harmful files onto a compromised system. This detection focuses on identifying any process executions that originate from RDP shares, which could indicate unauthorized access or malicious activity. Security teams should investigate any instances of such process executions, especially if they are found on systems that should not be using RDP shares or if the executed processes are unfamiliar or suspicious.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process = "*\\\\tsclient\\*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_process_execution_from_rdp_share_filter`