Update win_rdp_reverse_tunnel.yml
With the recent example for the evtx. RDP Tunneling can happen not only from port 3389. So I tune it to fit in general. Changed the obsolete twitter status with linkage to the evtx from Samir Bousseaden
This commit is contained in:
booberry46
@@ -1,8 +1,8 @@
|
||||
title: RDP over Reverse SSH Tunnel WFP
|
||||
status: experimental
|
||||
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
|
||||
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
|
||||
references:
|
||||
- https://twitter.com/SBousseaden/status/1096148422984384514
|
||||
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
|
||||
author: Samir Bousseaden
|
||||
date: 2019/02/16
|
||||
tags:
|
||||
@@ -17,12 +17,10 @@ detection:
|
||||
selection:
|
||||
EventID: 5156
|
||||
sourceRDP:
|
||||
SourcePort: 3389
|
||||
DestinationAddress:
|
||||
- '127.*'
|
||||
- '::1'
|
||||
destinationRDP:
|
||||
DestinationPort: 3389
|
||||
SourceAddress:
|
||||
- '127.*'
|
||||
- '::1'
|
||||
|
||||
Reference in New Issue
Block a user