title: Suspicious Outbound RDP Connections
author: Markus Neis - Swisscom
date: 2019/05/15
description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible
  lateral movement
detection:
  SELECTION_1:
    EventID: 3
  SELECTION_2:
    DestinationPort: 3389
  SELECTION_3:
    Initiated: 'true'
  SELECTION_4:
    Image:
    - '*\mstsc.exe'
    - '*\RTSApp.exe'
    - '*\RTS2App.exe'
    - '*\RDCMan.exe'
    - '*\ws_TunnelService.exe'
    - '*\RSSensor.exe'
    - '*\RemoteDesktopManagerFree.exe'
    - '*\RemoteDesktopManager.exe'
    - '*\RemoteDesktopManager64.exe'
    - '*\mRemoteNG.exe'
    - '*\mRemote.exe'
    - '*\Terminals.exe'
    - '*\spiceworks-finder.exe'
    - '*\FSDiscovery.exe'
    - '*\FSAssessment.exe'
    - '*\MobaRTE.exe'
    - '*\chrome.exe'
    - '*\System32\dns.exe'
    - '*\thor.exe'
    - '*\thor64.exe'
  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
falsepositives:
- Other Remote Desktop RDP tools
- domain controller using dns.exe
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
level: high
logsource:
  category: network_connection
  product: windows
modified: 2020/08/24
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
status: experimental
tags:
- attack.lateral_movement
- attack.t1021.001
- attack.t1076
- car.2013-07-002
ruletype: SIGMA