This repository has been archived by the owner on Mar 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 46
/
KQL_sysmon_susp_rdp.txt
49 lines (48 loc) · 2 KB
/
KQL_sysmon_susp_rdp.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
// title: Suspicious Outbound RDP Connections
// description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
//
// reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
//
// original author: Markus Neis (Swisscom)
// KQL author: Maarten Goet (condicio)
//
// MITRE ATT&CK: lateral_movement, t1210
Event
| parse EventData with
* 'Data Name="RuleName">' RuleName '<'
* 'Data Name="UtcTime">' UtcTime '<'
* 'Data Name="ProcessGuid">' ProcessGuid '<'
* 'Data Name="ProcessId">' ProcessId '<'
* 'Data Name="Image">' Image '<'
* 'Data Name="User">' User '<'
* 'Data Name="Protocol">' Protocol '<'
* 'Data Name="Initiated">' Initiated '<'
* 'Data Name="SourceIsIpv6">' SourceIsIpv6 '<'
* 'Data Name="SourceIp">' SourceIp '<'
* 'Data Name="SourceHostname">' SourceHostname '<'
* 'Data Name="SourcePort">' SourcePort '<'
* 'Data Name="SourcePortName">' SourcePortName '<'
* 'Data Name="DestinationIsIpv6">' DestinationIsIpv6 '<'
* 'Data Name="DestinationIp">' DestinationIp '<'
* 'Data Name="DestinationHostname">' DestinationHostname '<'
* 'Data Name="DestinationPort">' DestinationPort '<'
* 'Data Name="DestinationPortName">' DestinationPortName '<'
*
| where ((EventID == "3" and DestinationPort == "3389") and not
(Image endswith "\\mstsc.exe"
or Image endswith "\\RTSApp.exe"
or Image endswith "\\RTS2App.exe"
or Image endswith "\\RDCMan.exe"
or Image endswith "\\ws_TunnelService.exe"
or Image endswith "\\RSSensor.exe"
or Image endswith "\\RemoteDesktopManagerFree.exe"
or Image endswith "\\RemoteDesktopManager.exe"
or Image endswith "\\RemoteDesktopManager64.exe"
or Image endswith "\\mRemoteNG.exe"
or Image endswith "\\mRemote.exe"
or Image endswith "\\Terminals.exe"
or Image endswith "\\spiceworks-finder.exe"
or Image endswith "\\FSDiscovery.exe"
or Image endswith "\\FSAssessment.exe"
or Image endswith "\\MobaRTE.exe"
or Image endswith "\\chrome.exe"))