Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Remote Desktop Tunneling

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Tim Rauch, Elastic SecurityCreated Tue Sep 278a3038e8-9c9d-46f8-b184-66234a160f6fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
    selection_opt:
        CommandLine|contains:
            - ' -L '
            - ' -P '
            - ' -R '
            - ' -pw '
            - ' -ssh '
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
elastic.co
MITRE ATT&CK
Rule Metadata
Rule ID
8a3038e8-9c9d-46f8-b184-66234a160f6f
Status
test
Level
medium
Type
Detection
Created
Tue Sep 27
Author
Tim Rauch, Elastic Security
Path
rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml
Raw Tags
attack.lateral-movementattack.t1021
View on GitHub