This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Potential SharpRDP Behavior
editPotential SharpRDP Behavior
editIdentifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edit/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction == "incoming" and network.transport == "tcp" and source.address != "127.0.0.1" and source.address != "::1" ] [registry where process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] [process where event.type in ("start", "process_started") and (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
-
Sub-technique:
- Name: Remote Desktop Protocol
- ID: T1021.001
- Reference URL: https://attack.mitre.org/techniques/T1021/001/