Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

RDP over Reverse SSH Tunnel WFP

Detects svchost hosting RDP termsvcs communicating with the loopback address

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Samir BousseadenCreated Sat Feb 16Updated Fri Sep 025bed80b6-b3e8-428e-a3ae-d3c757589e41windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic5 selectors
detection:
    selection:
        EventID: 5156
    sourceRDP:
        SourcePort: 3389
        DestAddress:
            - '127.*'
            - '::1'
    destinationRDP:
        DestPort: 3389
        SourceAddress:
            - '127.*'
            - '::1'
    filter_app_container:
        FilterOrigin: 'AppContainer Loopback'
    filter_thor:  # checking BlueKeep vulnerability
        Application|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
False Positives

Programs that connect locally to the RDP port

References
1
Resolving title…
twitter.com
2
Resolving title…
github.com
MITRE ATT&CK

CAR Analytics

2013-07-002 · CAR 2013-07-002
Rule Metadata
Rule ID
5bed80b6-b3e8-428e-a3ae-d3c757589e41
Status
test
Level
high
Type
Detection
Created
Sat Feb 16
Modified
Fri Sep 02
Author
Samir Bousseaden
Path
rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml
Raw Tags
attack.defense-evasionattack.command-and-controlattack.lateral-movementattack.t1090.001attack.t1090.002attack.t1021.001car.2013-07-002
View on GitHub