security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules/windows/lateral_movement_evasion_rdp_shadowing.toml
T

77 lines
2.8 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/04/12"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
[rule]
author = ["Elastic"]
description = """
Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes
indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control
other users active RDP sessions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Remote Desktop Shadowing Activity"
references = [
"https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing",
"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/",
]
risk_score = 73
rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
/* Identifies the modification of RDP Shadow registry or
the execution of processes indicative of active shadow RDP session */
any where host.os.type == "windows" and
(
(event.category == "registry" and
registry.path : (
"HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow",
"\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
)
) or
(event.category == "process" and event.type == "start" and
(process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
(process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.001"
name = "Remote Desktop Protocol"
reference = "https://attack.mitre.org/techniques/T1021/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
Reference in New Issue View Git Blame Copy Permalink