Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Reformatted 694fa56 May 15, 2019
2 contributors

Users who have contributed to this file

@Neo23x0 @t0x1c-1
41 lines (40 sloc) 1.23 KB
title: Suspicious Outbound RDP Connections
status: experimental
description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis - Swisscom
date: 2019/05/15
tags:
- attack.lateral_movement
- attack.t1210
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort: 3389
filter:
Image:
- '*\mstsc.exe'
- '*\RTSApp.exe'
- '*\RTS2App.exe'
- '*\RDCMan.exe'
- '*\ws_TunnelService.exe'
- '*\RSSensor.exe'
- '*\RemoteDesktopManagerFree.exe'
- '*\RemoteDesktopManager.exe'
- '*\RemoteDesktopManager64.exe'
- '*\mRemoteNG.exe'
- '*\mRemote.exe'
- '*\Terminals.exe'
- '*\spiceworks-finder.exe'
- '*\FSDiscovery.exe'
- '*\FSAssessment.exe'
- '*\MobaRTE.exe'
- '*\chrome.exe'
condition: selection and not filter
falsepositives:
- Other Remote Desktop RDP tools
level: high
You can’t perform that action at this time.