Techniques
Sample rules
.RDP File Created by Outlook Process
- source: sigma
- technicques:
Description
Detects the creation of files with the “.rdp” extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.
Detection logic
condition: all of selection_*
selection_extension:
TargetFilename|endswith: .rdp
selection_location:
- TargetFilename|contains:
- \AppData\Local\Packages\Microsoft.Outlook_
- \AppData\Local\Microsoft\Olk\Attachments\
- TargetFilename|contains|all:
- \AppData\Local\Microsoft\Windows\
- \Content.Outlook\