security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_mstsc.yml
T

29 lines
1012 B
YAML
Raw Normal View History

Windows Redcannary
2022-01-08 09:17:56 +01:00
title: Remote Desktop Protocol Use Mstsc
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: experimental
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
date: 2022/01/07
logsource:
category: process_creation
product: windows
detection:
selection_mstsc:
Image|endswith: \mstsc.exe
CommandLine|contains: ' /v:'
selection_cmdkey:
Image|endswith: \cmdkey.exe
CommandLine|contains|all:
- '/generic:'
- '/user:'
- '/pass:'
condition: 1 of selection_*
falsepositives:
fix: more falsepositives harmonization
2022-03-16 14:39:23 +01:00
- Unknown
Windows Redcannary
2022-01-08 09:17:56 +01:00
level: medium
tags:
- attack.lateral_movement
- attack.t1021.001
Reference in New Issue Copy Permalink