Detectionhightest
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Apr 18Updated Fri Nov 01fccfb43e-09a7-4bd2-8b37-a5a7df33386dwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|endswith: '.rdp'
Image|endswith:
# Covers browsers
- '\brave.exe'
- '\CCleaner Browser\Application\CCleanerBrowser.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\Google\Chrome\Application\chrome.exe'
- '\iexplore.exe'
- '\microsoftedge.exe'
- '\msedge.exe'
- '\Opera.exe'
- '\Vivaldi.exe'
- '\Whale.exe'
# Covers email clients
- '\olk.exe' # Outlook
- '\Outlook.exe'
- '\RuntimeBroker.exe' # If the windows mail client is used
- '\Thunderbird.exe'
# Covers chat applications
- '\Discord.exe' # Should open the browser for download, but just in case.
- '\Keybase.exe'
- '\msteams.exe'
- '\Slack.exe'
- '\teams.exe'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Related Rules
Derived
Rule not foundf748c45a-f8d3-4e6f-b617-fe176f695b8f
Rule Metadata
Rule ID
fccfb43e-09a7-4bd2-8b37-a5a7df33386d
Status
test
Level
high
Type
Detection
Created
Tue Apr 18
Modified
Fri Nov 01
Path
rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml
Raw Tags
attack.defense-evasion