Name:Windows RDP File Execution id:0b6b12b9-8ba9-48fe-b3b8-b4e3e1cd22b4 version:1 date:2024-11-21 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects when a Windows RDP client attempts to execute an RDP file from a temporary directory, downloads directory, or Outlook directories. This detection is significant as it can indicate an attempt for an adversary to deliver a .rdp file, which may be leveraged by attackers to control or exfiltrate data. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further lateral movement within the network. Data_source:
-Sysmon EventID 1
-Windows Event Log Security 4688
-CrowdStrike ProcessRollup2
search:| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*\\AppData\\Local\\Temp\\*", "*\\Olk\\Attachments\\*", "*\\AppData\\Local\\Microsoft\\Outlook\\*", "*\\Content.Outlook\\*", "*\\Downloads\\*") AND Processes.process="*.rdp*" by Processes.process Processes.process_name Processes.user Processes.dest Processes.parent_process_name Processes.parent_process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval execution_type=case( match(process, "\\\\Temp\\\\.*\\.(zip|7z|rar|cab|tgz|gz|tar|iso|img|vhd|vhdx).*\\.*\\.rdp"), "temp_archive_execution", match(process, "\\\\Downloads\\\\"), "downloads_execution", match(process, "\\\\Temp\\\\"), "temp_execution", match(process, "\\\\Microsoft\\\\Outlook\\\\"), "outlook_execution", match(process, "\\\\Olk\\\\Attachments\\\\"), "outlook_execution", match(process, "\\\\Content.Outlook\\\\"), "outlook_execution", true(), "other" ), risk_score=case( execution_type="temp_archive_execution", "Critical", execution_type IN ("temp_execution", "outlook_execution"), "High", execution_type="downloads_execution", "Medium", true(), "Low" ), risk_reason=case( execution_type="temp_archive_execution", "RDP file executed directly from archive/disk image in Temp directory", execution_type="downloads_execution", "RDP file executed from Downloads directory (Could be legitimate admin activity)", execution_type="temp_execution", "RDP file executed from Temp directory", execution_type="outlook_execution", "RDP file executed from Outlook directories", true(), "Standard RDP file execution" ) | sort - risk_score | rename process_name as "RDP Process", parent_process_name as "Parent Process", process as "Command Line", user as "User", execution_type as "Execution Context", risk_score as "Risk Level", risk_reason as "Risk Details" | fields - parent_process | `windows_rdp_file_execution_filter`
how_to_implement:The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives:False positives may be present based on administrators using RDP files for legitimate purposes. Filter as needed. References: -https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Spearphishing Attachments' asset_type:Endpoint confidence:70 impact:60 message:A Windows RDP client attempted to execute an RDP file from a temporary directory, downloads directory, or Outlook directories on the endpoint $dest$. mitre_attack_id: - 'T1598.002' - 'T1021.001' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'process_guid' - 'process_name' - 'process' - 'parent_process_name' - 'parent_process' - 'user' risk_score:42 security_domain:endpoint cve:
