likelihood is related to how often the paths are used in the environment

t1219
windows
sigma

Techniques

t1219

Sample rules

Suspicious Mstsc.EXE Execution With Local RDP File

source: sigma
technicques:
- t1219

Description

Detects potential RDP connection via Mstsc using a local “.rdp” file located in suspicious locations.

Detection logic

condition: all of selection_*
selection_extension:
  CommandLine|endswith:
  - .rdp
  - .rdp"
selection_img:
- Image|endswith: \mstsc.exe
- OriginalFileName: mstsc.exe
selection_paths:
  CommandLine|contains:
  - :\Users\Public\
  - :\Windows\System32\spool\drivers\color
  - ':\Windows\System32\Tasks_Migrated '
  - :\Windows\Tasks\
  - :\Windows\Temp\
  - :\Windows\Tracing\
  - \AppData\Local\Temp\
  - \Downloads\