LoFP / likely with legitimate usage of \".rdp\" files

Techniques

t1219

Sample rules

Mstsc.EXE Execution With Local RDP File

source: sigma
technicques:
- t1219

Description

Detects potential RDP connection via Mstsc using a local “.rdp” file

Detection logic

condition: all of selection_* and not 1 of filter_optional_*
filter_optional_wsl:
  CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp
  ParentImage: C:\Windows\System32\lxss\wslhost.exe
selection_cli:
  CommandLine|endswith:
  - .rdp
  - .rdp"
selection_img:
- Image|endswith: \mstsc.exe
- OriginalFileName: mstsc.exe