remote desktop may be used legitimately by users on the network.

Techniques

T1021.001

Sample rules

Remote Desktop Process Running On System

source: splunk
technicques:
- T1021.001

Description

The following analytic detects the execution of the remote desktop process (mstsc.exe) on systems where it is not typically run. This detection leverages data from Endpoint Detection and Response (EDR) agents, filtering out systems categorized as common RDP sources. This activity is significant because unauthorized use of mstsc.exe can indicate lateral movement or unauthorized remote access attempts. If confirmed malicious, this could allow an attacker to gain remote control of a system, potentially leading to data exfiltration, privilege escalation, or further network compromise.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process=*mstsc.exe
    AND
    Processes.dest_category!=common_rdp_source
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `drop_dm_object_name(Processes)`

| `remote_desktop_process_running_on_system_filter`

Remote Desktop Network Traffic

source: splunk
technicques:
- T1021.001

Description

The following analytic detects unusual Remote Desktop Protocol (RDP) traffic on TCP/3389 by filtering out known RDP sources and destinations, focusing on atypical connections within the network. This detection leverages network traffic data to identify potentially unauthorized RDP access. Monitoring this activity is crucial for a SOC as unauthorized RDP access can indicate an attacker’s attempt to control networked systems, leading to data theft, ransomware deployment, or further network compromise. If confirmed malicious, this activity could result in significant data breaches or complete system and network control loss.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic
  WHERE All_Traffic.dest_port=3389
    AND
    All_Traffic.dest_category!=common_rdp_destination
    AND
    All_Traffic.src_category!=common_rdp_source
    AND
    All_Traffic.action="allowed"
  BY All_Traffic.src All_Traffic.dest All_Traffic.dest_port
     All_Traffic.dest_ip All_Traffic.dvc All_Traffic.src_ip
     All_Traffic.src_port All_Traffic.vendor_product

| `drop_dm_object_name("All_Traffic")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `remote_desktop_network_traffic_filter`