Techniques
Sample rules
RDP over Reverse SSH Tunnel WFP
- source: sigma
- technicques:
- t1021
- t1021.001
- t1090
- t1090.001
- t1090.002
Description
Detects svchost hosting RDP termsvcs communicating with the loopback address
Detection logic
condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
destinationRDP:
DestPort: 3389
SourceAddress:
- 127.*
- ::1
filter_app_container:
FilterOrigin: AppContainer Loopback
filter_thor:
Application|endswith:
- \thor.exe
- \thor64.exe
selection:
EventID: 5156
sourceRDP:
DestAddress:
- 127.*
- ::1
SourcePort: 3389