Outbound RDP Connections Over Non-Standard Tools
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Outbound RDP Connections Over Non-Standard Tools | Standard | Windows | Lateral Movement: Remote Services - Remote Desktop Protocol (T1021.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
This rule detects the illegitimate process of non-standard tools initiating a connection to a remote system over port 3389 (RDP) other than the default Windows RDP client (mstsc.exe), which indicates a possible lateral movement.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access (Credential Dumping) → Privilege Escalation → Lateral Movement (through RDP) → Command and control → Impact
Impact
- Privileges are escalated for account or systems as a valid RDP targets to gain access.
- For lateral movement, the attacker uses tool to open RDP session to another malicious host.
- Exploiting RDP for tunneling for C2 channels
- Data exfiltration
Rule Requirement
Prerequisites
- Download and install Sysmon from Microsoft Sysinternals. Then, open Command Prompt with administrator privileges and create a Sysmon configuration which monitors the network connection using -
sysmon.exe -i [configfile.xml].
- Add network connection events in your configuration file to monitor, using -
<Sysmon>
<EventFiltering>
<NetworkConnect onmatch="exclude"/>
<!-- This captures all network connection events -->
</EventFiltering>
</Sysmon>
- Create a new registry key "Microsoft-Windows-Sysmon/Network" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
- Allocate the registry value of Max Size to 200MB to ensure adequate storage for network logs, as they tend to be high volume.
Criteria
Action1: actionname = "sa_network_connection" AND (DEST_PORT = 3389 AND IS_INITIATED = "true") AND PROCESSNAME != "C:\Windows\System32\mstsc.exe,C:\Windows\SysWOW64\mstsc.exe" AND ((PROCESSNAME != "C:\Windows\System32\dns.exe" OR SOURCEPORT != 53 OR PROTOCOL != "udp") AND PROCESSNAME notendswith "\Avast Software\Avast\AvastSvc.exe,\Avast\AvastSvc.exe" AND PROCESSNAME notendswith "\RDCMan.exe" AND PROCESSNAME != "C:\Program Files\Google\Chrome\Application\chrome.exe" AND PROCESSNAME notendswith "\FSAssessment.exe,\FSDiscovery.exe,\MobaRTE.exe,\mRemote.exe,\mRemoteNG.exe,\Passwordstate.exe,\RemoteDesktopManager.exe,\RemoteDesktopManager64.exe,\RemoteDesktopManagerFree.exe,\RSSensor.exe,\RTS2App.exe,\RTSApp.exe,\spiceworks-finder.exe,\Terminals.exe,\ws_TunnelService.exe" AND PROCESSNAME notendswith "\thor.exe,\thor64.exe" AND PROCESSNAME notstartswith "C:\Program Files\SplunkUniversalForwarder\bin" AND PROCESSNAME notendswith "\Ranger\SentinelRanger.exe" AND PROCESSNAME != "C:\Program Files\Mozilla Firefox\firefox.exe" AND PROCESSNAME != "C:\Program Files\TSplus\Java\bin\HTML5service.exe,C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe" AND isExist(PROCESSNAME) AND PROCESSNAME != "" AND PROCESSNAME != "") select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.PROCESSNAME,Action1.DESTINATIONHOST,Action1.DESTINATION_IPV6,Action1.DEST_IP,Action1.SOURCEHOST,Action1.SOURCE_IP,Action1.SOURCE_IPV6
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Lateral Movement: Remote Services - Remote Desktop Protocol (T1021.001)
Security Standards
Enabling this rule will help you meet the security standard's requirements listed below:
ID.AM-03: Representations of the organization’s authorized network communication and internal and external network data flows are maintained.
The security standard suggests security administrators to map and document how the data moves across the network, including both internal and external communication.
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
Security administrators have to continuously monitor all the network and its services in real-time using SIEM tools and identify the unusual behavior during the connection initiated by RDP over non-standard tools. Enforce policies on web traffic to ensure network security.
Author
Markus Neis
Future actions
Known False Positives
A false positive alert may be triggered when third-party RDP tools or remote management software such as those used for IT monitoring, vault access, or automation platforms are actively used within the environment.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify the event and check if the flagged incident is new or part of an existing one.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt network connections and kill or terminate the malicious process.
- Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1042 | Disable or Remove Feature or Program involves the identification of software (including native binaries) or features that are no longer needed or could be exploited by adversaries, and then disabling or removing them from the system environment. | |
M1047 | Audit the RDP user groups regularly and remove stale and unnecessary accounts from it. | |
M1035 | Deploying remote desktop gateways to secure network vulnerabilities through access credentials. | |
M1032 | For secured remote logins, deploy multi-factor authentication applications. | |
M1030 | Disable Remote Desktop Protocol (RDP) to the internet, and configure firewall rules to restrict RDP traffic between different network security zones within your internal environment. | |
M1028 | Configure Group Policy Objects (GPOs) to enforce shorter session timeouts and set limits on the maximum duration of active sessions. Define how long disconnected sessions remain active on the Remote Desktop Session Host server. | |
M1026 | Restricting access, limiting the scope of permissions, monitoring privileged account usage by implementing policies, controls, and tools to manage privileged accounts securely. Also, ensure that the local administrators group is restricted from the list of groups allowed to log in via RDP. | |
M1018 | Update policies to limit remote user access and privileges. |
