- title: Suspicious Outbound RDP Connections
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: experimental
description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible
lateral movement
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis - Swisscom
date: 2019/05/15
tags:
- attack.lateral_movement
- attack.t1210
- car.2013-07-002
logsource:
product: windows
service: sysmon
category: null
detection:
selection:
EventID: 3
DestinationPort: 3389
Initiated: 'true'
filter:
Image:
- '*\mstsc.exe'
- '*\RTSApp.exe'
- '*\RTS2App.exe'
- '*\RDCMan.exe'
- '*\ws_TunnelService.exe'
- '*\RSSensor.exe'
- '*\RemoteDesktopManagerFree.exe'
- '*\RemoteDesktopManager.exe'
- '*\RemoteDesktopManager64.exe'
- '*\mRemoteNG.exe'
- '*\mRemote.exe'
- '*\Terminals.exe'
- '*\spiceworks-finder.exe'
- '*\FSDiscovery.exe'
- '*\FSAssessment.exe'
- '*\MobaRTE.exe'
- '*\chrome.exe'
- '*\thor.exe'
- '*\thor64.exe'
condition: selection and not filter
falsepositives:
- Other Remote Desktop RDP tools
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='((event_id:"3" AND dst_port:"3389" AND network_initiated:"true") AND (NOT (process_path.keyword:(*\\mstsc.exe OR *\\RTSApp.exe OR *\\RTS2App.exe OR *\\RDCMan.exe OR *\\ws_TunnelService.exe OR *\\RSSensor.exe OR *\\RemoteDesktopManagerFree.exe OR *\\RemoteDesktopManager.exe OR *\\RemoteDesktopManager64.exe OR *\\mRemoteNG.exe OR *\\mRemote.exe OR *\\Terminals.exe OR *\\spiceworks\-finder.exe OR *\\FSDiscovery.exe OR *\\FSAssessment.exe OR *\\MobaRTE.exe OR *\\chrome.exe OR *\\thor.exe OR *\\thor64.exe))))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()