Detectionhightest
RDP Over Reverse SSH Tunnel
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
selection_destination:
DestinationIp|cidr:
- '127.0.0.0/8'
- '::1/128'
condition: all of selection_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Techniques
Sub-techniques
CAR Analytics
2013-07-002 · CAR 2013-07-002
Rule Metadata
Rule ID
5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
Status
test
Level
high
Type
Detection
Created
Sat Feb 16
Modified
Tue Mar 12
Author
Path
rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml
Raw Tags
attack.command-and-controlattack.t1572attack.lateral-movementattack.t1021.001car.2013-07-002