Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Outbound RDP Connections Over Non-Standard Tools

Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Markus NeisCreated Wed May 15Updated Fri Feb 09ed74fe75-7594-4b4b-ae38-e38e3fd2eb23windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic15 selectors
detection:
    selection:
        DestinationPort: 3389
        Initiated: 'true'
    filter_main_mstsc:
        Image:
            - 'C:\Windows\System32\mstsc.exe'
            - 'C:\Windows\SysWOW64\mstsc.exe'
    filter_optional_dns:
        # Note: https://github.com/SigmaHQ/sigma/pull/2249
        Image: 'C:\Windows\System32\dns.exe'
        SourcePort: 53
        Protocol: 'udp'
    filter_optional_avast:
        Image|endswith:
            - '\Avast Software\Avast\AvastSvc.exe'
            - '\Avast\AvastSvc.exe'
    filter_optional_sysinternals_rdcman:
        Image|endswith: '\RDCMan.exe'
    filter_optional_chrome:
        Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_third_party:
        Image|endswith:
            - '\FSAssessment.exe'
            - '\FSDiscovery.exe'
            - '\MobaRTE.exe'
            - '\mRemote.exe'
            - '\mRemoteNG.exe'
            - '\Passwordstate.exe'
            - '\RemoteDesktopManager.exe'
            - '\RemoteDesktopManager64.exe'
            - '\RemoteDesktopManagerFree.exe'
            - '\RSSensor.exe'
            - '\RTS2App.exe'
            - '\RTSApp.exe'
            - '\spiceworks-finder.exe'
            - '\Terminals.exe'
            - '\ws_TunnelService.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_splunk:
        Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_optional_sentinel_one:
        Image|endswith: '\Ranger\SentinelRanger.exe'
    filter_optional_firefox:
        Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tsplus:  # Some RAS
        Image:
            - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
            - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
    filter_optional_null:
        Image: null
    filter_optional_empty:
        Image: ''
    filter_optional_unknown:
        Image: '<unknown process>'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Third party RDP tools

References
1
Resolving title…
portal.msrc.microsoft.com
MITRE ATT&CK

CAR Analytics

2013-07-002 · CAR 2013-07-002
Rule Metadata
Rule ID
ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
Status
test
Level
high
Type
Detection
Created
Wed May 15
Modified
Fri Feb 09
Author
Markus Neis
Path
rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml
Raw Tags
attack.lateral-movementattack.t1021.001car.2013-07-002
View on GitHub