security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential Remote Desktop Shadowing Activity (#1101)

Browse Source 
* [New Rule] Potential Remote Desktop Shadowing Activity

* added event.ingested

* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-04-14 22:09:49 +02:00
committed by GitHub
parent 66dff28498
commit 7408133f79
1 changed files with 54 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_evasion_rdp_shadowing.toml
+54
View File
@@ -0,0 +1,54 @@
[metadata]
creation_date = "2021/04/12"
maturity = "production"
updated_date = "2021/04/12"
[rule]
author = ["Elastic"]
description = """
Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes
indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active
RDP sessions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Remote Desktop Shadowing Activity"
references = [
"https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"]
risk_score = 73
rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
/* Identifies the modification of RDP Shadow registry or
the execution of processes indicative of active shadow RDP session */
any where
(event.category == "registry" and
registry.path : "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
) or
(event.category == "process" and
(process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
(process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"