IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential SharpRDP Behavior
editPotential SharpRDP Behavior
editIdentifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 4 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.16.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
edit/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.address != "127.0.0.1" and source.address != "::1" ] [registry where process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Micr osoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] [process where event.type in ("start", "process_started") and (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ]
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
Rule version history
edit- Version 4 (7.16.0 release)
-
-
Updated query, changed from:
/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction == "incoming" and network.transport == "tcp" and source.address != "127.0.0.1" and source.address != "::1" ] [registry where process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\Current Version\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] [process where event.type in ("start", "process_started") and (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ]
-
- Version 2 (7.12.0 release)
-
- Formatting only