Techniques
Sample rules
New Remote Desktop Connection Initiated Via Mstsc.EXE
- source: sigma
- technicques:
- t1021
- t1021.001
Description
Detects the usage of “mstsc.exe” with the “/v” flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_wsl:
CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp
ParentImage: C:\Windows\System32\lxss\wslhost.exe
selection_cli:
CommandLine|contains|windash: ' /v:'
selection_img:
- Image|endswith: \mstsc.exe
- OriginalFileName: mstsc.exe