Merge pull request SigmaHQ#338 from yt0ng/development

Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
Onager · May 15, 2019 · 9e2345c · 9e2345c
2 parents a6d2a5d + 694fa56
commit 9e2345c
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/rules/windows/sysmon/sysmon_susp_rdp.yml b/rules/windows/sysmon/sysmon_susp_rdp.yml
@@ -0,0 +1,40 @@
+title: Suspicious Outbound RDP Connections 
+status: experimental
+description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
+references:
+    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
+author: Markus Neis - Swisscom 
+date: 2019/05/15
+tags:
+    - attack.lateral_movement
+    - attack.t1210
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 3
+        DestinationPort: 3389 
+    filter:
+        Image:
+            - '*\mstsc.exe'
+            - '*\RTSApp.exe'
+            - '*\RTS2App.exe'
+            - '*\RDCMan.exe'
+            - '*\ws_TunnelService.exe'
+            - '*\RSSensor.exe'
+            - '*\RemoteDesktopManagerFree.exe'
+            - '*\RemoteDesktopManager.exe'
+            - '*\RemoteDesktopManager64.exe'
+            - '*\mRemoteNG.exe'
+            - '*\mRemote.exe'
+            - '*\Terminals.exe'
+            - '*\spiceworks-finder.exe'
+            - '*\FSDiscovery.exe'
+            - '*\FSAssessment.exe'
+            - '*\MobaRTE.exe'
+            - '*\chrome.exe'
+    condition: selection and not filter 
+falsepositives:
+    - Other Remote Desktop RDP tools
+level: high