-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2013-07-002.yaml
58 lines (53 loc) · 2.33 KB
/
CAR-2013-07-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
title: RDP Connection Detection
submission_date: 2013/07/24
information_domain: 'Analytic, Network'
subtypes:
- Map building
- Anomaly
- Hostflow
analytic_types:
- Situational Awareness
- TTP
contributors:
- MITRE
id: CAR-2013-07-002
description: |-
The [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to [laterally move](https://attack.mitre.org/tactics/TA0008) to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.
Remote Desktop can be detected in several ways
- Network connections to port 3389/tcp (assuming use of the default port)
- Packet capture analysis
- Windows security logs (Event ID 4624, 4634, 4647, 4778)
- Detecting network connections from `mstsc.exe`
- Execution of the process `rdpclip.exe`
- Runs as the clipboard manager on the RDP target if clipboard sharing is enabled
### Output Description
The time of the Connection, the source, the destination, and the user name used
coverage:
- technique: T1021
tactics:
- TA0008
subtechniques:
- T1021.001
coverage: Medium
implementations:
- code: |-
flow_start = search Flow:Start
flow_end = search Flow:End
rdp_start = filter flow_start where (port == "3389")
rdp_end = filter flow_start where (port == "3389")
rdp = group flow_start, flow_end by src_ip, src_port, dest_ip, dest_port
output rdp
type: pseudocode
- name: Sigma (Localhost Login)
description: '[Sigma](https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_rdp_localhost_login.yml) rule, focusing on RDP localhost login.'
type: Sigma
data_model_references:
- flow/end/dest_port
- flow/start/dest_ip
- flow/start/dest_port
- flow/start/src_ip
d3fend_mappings:
- iri: d3f:RemoteTerminalSessionDetection
id: D3-RTSD
label: Remote Terminal Session Detection