Techniques
Sample rules
Outbound RDP Connections Over Non-Standard Tools
- source: sigma
- technicques:
- t1021
- t1021.001
Description
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_mstsc:
Image:
- C:\Windows\System32\mstsc.exe
- C:\Windows\SysWOW64\mstsc.exe
filter_optional_avast:
Image|endswith:
- \Avast Software\Avast\AvastSvc.exe
- \Avast\AvastSvc.exe
filter_optional_chrome:
Image: C:\Program Files\Google\Chrome\Application\chrome.exe
filter_optional_dns:
Image: C:\Windows\System32\dns.exe
Protocol: udp
SourcePort: 53
filter_optional_empty:
Image: ''
filter_optional_firefox:
Image: C:\Program Files\Mozilla Firefox\firefox.exe
filter_optional_null:
Image: null
filter_optional_sentinel_one:
Image|endswith: \Ranger\SentinelRanger.exe
filter_optional_splunk:
Image|startswith: C:\Program Files\SplunkUniversalForwarder\bin\
filter_optional_sysinternals_rdcman:
Image|endswith: \RDCMan.exe
filter_optional_third_party:
Image|endswith:
- \FSAssessment.exe
- \FSDiscovery.exe
- \MobaRTE.exe
- \mRemote.exe
- \mRemoteNG.exe
- \Passwordstate.exe
- \RemoteDesktopManager.exe
- \RemoteDesktopManager64.exe
- \RemoteDesktopManagerFree.exe
- \RSSensor.exe
- \RTS2App.exe
- \RTSApp.exe
- \spiceworks-finder.exe
- \Terminals.exe
- \ws_TunnelService.exe
filter_optional_thor:
Image|endswith:
- \thor.exe
- \thor64.exe
filter_optional_tsplus:
Image:
- C:\Program Files\TSplus\Java\bin\HTML5service.exe
- C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe
filter_optional_unknown:
Image: <unknown process>
selection:
DestinationPort: 3389
Initiated: 'true'